httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Gil" <leonardob...@gmail.com>
Subject Re: [users@httpd] Block Tomcat's directory listing vulnerability with Directory and regex
Date Tue, 19 Dec 2006 00:46:28 GMT
This is better

<LocationMatch "/.+">
   Redirect / http://foo.com
</LocationMatch>



On 12/18/06, Leo Gil <leonardobgil@gmail.com> wrote:
>
> This did the work with Apache. I was trying to get rid of the semicolon
> but this seems better.
>
> <LocationMatch "/.+">
>    AllowOverride None
>    Order deny,allow
>    Deny from all
>    Allow from none
> </LocationMatch>
>
> Now I have to decide between a tomcat 404 or an apache access denied
>
> Thanks again
>
> Leo
>
> On 12/18/06, Leo Gil <leonardobgil@gmail.com> wrote:
> >
> > After hunting this problem down I found an easy fix on tomcat. So easy
> > that upsets me...
> >
> > Just setting listings to false did the trick on web.xml
> >
> > <init-param>
> >
> > <param-name>listings</param-name>
> >
> > <param-value>false</param-value>
> >
> > </init-param>
> >
> > I'm going to try LocationMatch it's better than displaying a tomcat 404
> >
> > Thanks for your help
> >
> > Leo
> > On 12/18/06, Nick Kew < nick@webthing.com> wrote:
> > >
> > > On Mon, 18 Dec 2006 18:26:06 -0500
> > > "Leo Gil" < leonardobgil@gmail.com> wrote:
> > >
> > > > Hi all,
> > > >
> > > > I have been trying to block the Tomcat directory listing
> > > vulnerability
> > > > using Apache's Directory with no success.
> > >
> > > No chance.  <Directory> applies to local files, not anything
> > > served by tomcat.  You want <LocationMatch>.
> > >
> > >
> > > --
> > > Nick Kew
> > >
> > > Application Development with Apache - the Apache Modules Book
> > > http://www.apachetutor.org/
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
>

Mime
View raw message