DO NOT REPLY [Bug 22630] New: - The bug featured in URL appears to affect Apache and Tomcat when used with mod_jk2

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22630>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22630

The bug featured in URL appears to affect Apache and Tomcat when used with mod_jk2

           Summary: The bug featured in URL appears to affect Apache and
                    Tomcat when used with mod_jk2
           Product: Apache httpd-2.0
           Version: 2.0.47
          Platform: Other
               URL: http://www.westpoint.ltd.uk/advisories/wp-02-0002.txt
        OS/Version: Windows NT/2K
            Status: UNCONFIRMED
          Severity: Normal
          Priority: Other
         Component: Other Modules
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jsymons@microsourceonline.com


When mod_jk2 is used as a connector between Apache 2.0.47 and Tomcat 4.1.24 that
even if the /WEB-INF/ directory of a web application is explicitly set to deny
from all in the Apache configuration files, that files can still be retrieved
using a directory of /WEB-INF./ without any problems. Apparently this bug
effects all versions of windows, however I have only tested it in a Windows 2000
environment. This allows access to class files, the web.xml, and anything else
located in this directory. A workaround for this bug is to also explictly set
/WEB-INF./ to deny from all in the Apache config files.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org