httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Gil" <leonardob...@gmail.com>
Subject Re: [users@httpd] Block Tomcat's directory listing vulnerability with Directory and regex
Date Tue, 19 Dec 2006 00:35:48 GMT
This did the work with Apache. I was trying to get rid of the semicolon but
this seems better.

<LocationMatch "/.+">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from none
</LocationMatch>

Now I have to decide between a tomcat 404 or an apache access denied

Thanks again

Leo

On 12/18/06, Leo Gil <leonardobgil@gmail.com> wrote:
>
> After hunting this problem down I found an easy fix on tomcat. So easy
> that upsets me...
>
> Just setting listings to false did the trick on web.xml
>
> <init-param>
>
> <param-name>listings</param-name>
>
> <param-value>false</param-value>
>
> </init-param>
>
> I'm going to try LocationMatch it's better than displaying a tomcat 404
>
> Thanks for your help
>
> Leo
> On 12/18/06, Nick Kew < nick@webthing.com> wrote:
> >
> > On Mon, 18 Dec 2006 18:26:06 -0500
> > "Leo Gil" < leonardobgil@gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > I have been trying to block the Tomcat directory listing vulnerability
> > > using Apache's Directory with no success.
> >
> > No chance.  <Directory> applies to local files, not anything
> > served by tomcat.  You want <LocationMatch>.
> >
> >
> > --
> > Nick Kew
> >
> > Application Development with Apache - the Apache Modules Book
> > http://www.apachetutor.org/
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>

Mime
View raw message