You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cocoon.apache.org by Berin Loritsch <bl...@infoplanning.com> on 2000/07/12 21:36:42 UTC

SECURITY ALERT!!!!!

When testing Cocoon 2 on my Linux box, and typed in the following URL:

http://goat.infoplanning.com//

Cocoon (being mapped to the root context) returned the root directory
of my system:

/bin
/etc
/home
/proc
/sbin
/usr
....

This is BAD.  I know I get the DirectoryGenerator when I end my URL
with a slash, but I should never get anything outside the servlet
context.

I tried that, because I wanted to see if I can get the listing of
my ROOT context in Tomcat

Re: SECURITY ALERT!!!!!

Posted by Berin Loritsch <bl...@infoplanning.com>.

Stefano Mazzocchi wrote:
> 
> Berin Loritsch wrote:
> >
> > When testing Cocoon 2 on my Linux box, and typed in the following URL:
> >
> > http://goat.infoplanning.com//
> >
> > Cocoon (being mapped to the root context) returned the root directory
> > of my system:
> >
> > /bin
> > /etc
> > /home
> > /proc
> > /sbin
> > /usr
> > ....
> >
> > This is BAD.  I know I get the DirectoryGenerator when I end my URL
> > with a slash, but I should never get anything outside the servlet
> > context.
> >
> > I tried that, because I wanted to see if I can get the listing of
> > my ROOT context in Tomcat
> 
> This appears as a Tomcat bug, not Cocoon's. Isn't it so?

Nope.  It also happens with LWS-2.2.1 (by Gefion Software: www.gefionsoftware.com)

There is another unrelated bug with Cocoon2 that I will take care of
shortly.  It has to do with how we get the path URL that makes Cocoon
dependant on Tomcat.... But that's another issue.

Re: SECURITY ALERT!!!!!

Posted by Stefano Mazzocchi <st...@apache.org>.

Berin Loritsch wrote:
> 
> When testing Cocoon 2 on my Linux box, and typed in the following URL:
> 
> http://goat.infoplanning.com//
> 
> Cocoon (being mapped to the root context) returned the root directory
> of my system:
> 
> /bin
> /etc
> /home
> /proc
> /sbin
> /usr
> ....
> 
> This is BAD.  I know I get the DirectoryGenerator when I end my URL
> with a slash, but I should never get anything outside the servlet
> context.
> 
> I tried that, because I wanted to see if I can get the listing of
> my ROOT context in Tomcat

This appears as a Tomcat bug, not Cocoon's. Isn't it so?

-- 
Stefano Mazzocchi      One must still have chaos in oneself to be
                          able to give birth to a dancing star.
<st...@apache.org>                             Friedrich Nietzsche
--------------------------------------------------------------------
 Missed us in Orlando? Make it up with ApacheCON Europe in London!
------------------------- http://ApacheCon.Com ---------------------