You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brian Buchanan <Br...@interfast.ca> on 2005/11/18 20:15:54 UTC
Re: How to set restrictions on the retreival of files from some
directories
Upgrade. In a short test on two of my servers, 5.0.28 on windows has this
WEB-INF. vulnerability, but 5.5.7 did not.
-----Original Message-----
From: "Alla Winter" <al...@cobrasource.com>
To: <us...@tomcat.apache.org>
Date: Thu, 17 Nov 2005 14:19:13 -0600
Subject: How to set restrictions on the retreival of files from some
directories
> BY default it is possible to retrieve files located under the 'WEB-INF'
> directory. For example: www.someserver.com/WEB-INF./web.xml or
> www.someserver.com/WEB-INF./classes/MySer
> <http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class>
> vlet.class
>
> What needs to be done to prevent it ? Why such restrictions are not
> set by
> default? This vulnerability prevents us to pass the security
> certification
> test
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to set restrictions on the retreival of files from some
directories
Posted by Ben Souther <be...@souther.us>.
I just tested on 5.0.28 and can't see anything under WEB-INF.
Are you using Tomcat as a standalone or with a connector?
On Fri, 2005-11-18 at 14:15, Brian Buchanan wrote:
> Upgrade. In a short test on two of my servers, 5.0.28 on windows has this
> WEB-INF. vulnerability, but 5.5.7 did not.
>
> -----Original Message-----
> From: "Alla Winter" <al...@cobrasource.com>
> To: <us...@tomcat.apache.org>
> Date: Thu, 17 Nov 2005 14:19:13 -0600
> Subject: How to set restrictions on the retreival of files from some
> directories
>
> > BY default it is possible to retrieve files located under the 'WEB-INF'
> > directory. For example: www.someserver.com/WEB-INF./web.xml or
> > www.someserver.com/WEB-INF./classes/MySer
> > <http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class>
> > vlet.class
> >
> > What needs to be done to prevent it ? Why such restrictions are not
> > set by
> > default? This vulnerability prevents us to pass the security
> > certification
> > test
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to set restrictions on the retreival of files from some directories
Posted by Tim Funk <fu...@joedog.org>.
Something is fishy with your server (or configuration) I cannot reproduce
that issue with 5.0.28 on windows.
-Tim
Brian Buchanan wrote:
> Upgrade. In a short test on two of my servers, 5.0.28 on windows has this
> WEB-INF. vulnerability, but 5.5.7 did not.
>
> -----Original Message-----
> From: "Alla Winter" <al...@cobrasource.com>
> To: <us...@tomcat.apache.org>
> Date: Thu, 17 Nov 2005 14:19:13 -0600
> Subject: How to set restrictions on the retreival of files from some
> directories
>
>
>>BY default it is possible to retrieve files located under the 'WEB-INF'
>>directory. For example: www.someserver.com/WEB-INF./web.xml or
>>www.someserver.com/WEB-INF./classes/MySer
>><http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class>
>>vlet.class
>>
>>What needs to be done to prevent it ? Why such restrictions are not
>>set by
>>default? This vulnerability prevents us to pass the security
>>certification
>>test
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org