You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/02/01 17:58:50 UTC

DO NOT REPLY [Bug 16667] New: - tomcat 4.1.18 + apache 1.3.26 WEB-INF web.xml visible

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16667>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16667

tomcat 4.1.18 + apache 1.3.26 WEB-INF web.xml visible

           Summary: tomcat 4.1.18 + apache 1.3.26 WEB-INF web.xml visible
           Product: Tomcat 4
           Version: 4.1.18
          Platform: All
               URL: I have one application running in tomcat 4.1.18 and
                    apache.
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: dionisio@tinieblas.com


I have several applications running in tomcat 4.1.18 and apache 1.3.26 with 
mod_jk 1.2.2.
if i writte in the browser (explorer):
http://www.domain.com/WEB-INF/web.xml
the system shows me the file, the web.xml conf file.
This is one great security problem.

in the apache conf file i have:
<Directory "WEB-INF">
Options -Indexes
AllowOverride None
Order deny,allow
Deny from all
</Directory>

and is posible to load the classes (class files) thar are int the WEB-
INF/classes directory

the example in:
http://www.tinieblas.com/WEB-INF/web.xml

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org