You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/02/01 17:58:50 UTC
DO NOT REPLY [Bug 16667] New: -
tomcat 4.1.18 + apache 1.3.26 WEB-INF web.xml visible
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16667>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16667
tomcat 4.1.18 + apache 1.3.26 WEB-INF web.xml visible
Summary: tomcat 4.1.18 + apache 1.3.26 WEB-INF web.xml visible
Product: Tomcat 4
Version: 4.1.18
Platform: All
URL: I have one application running in tomcat 4.1.18 and
apache.
OS/Version: Linux
Status: NEW
Severity: Critical
Priority: Other
Component: Unknown
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: dionisio@tinieblas.com
I have several applications running in tomcat 4.1.18 and apache 1.3.26 with
mod_jk 1.2.2.
if i writte in the browser (explorer):
http://www.domain.com/WEB-INF/web.xml
the system shows me the file, the web.xml conf file.
This is one great security problem.
in the apache conf file i have:
<Directory "WEB-INF">
Options -Indexes
AllowOverride None
Order deny,allow
Deny from all
</Directory>
and is posible to load the classes (class files) thar are int the WEB-
INF/classes directory
the example in:
http://www.tinieblas.com/WEB-INF/web.xml
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org