tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 8263] New: - url-pattern easyly to circumvent
Date Thu, 18 Apr 2002 16:28:39 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8263>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8263

url-pattern easyly to circumvent

           Summary: url-pattern easyly to circumvent
           Product: Tomcat 3
           Version: 3.2.1 Final
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Webapps
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: egg@interactive-tools.de


Its seems easy to circumvent the security-constraint set in a web.xml file.
If the url-pattern e.g. is /notaccessable/* then typing the url in a browser
like the following provides a listing were you can click and view every file.
http://domain:port/.//notaccessable/

If you know the name, you can type it just behind the last slash and you get the
file imediately.

Am I something missing ??
Can this somehow be fixed?

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message