tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
Date Wed, 02 Mar 2005 18:22:05 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32696>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=32696


sizing.tw@yahoo.com.tw changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
          Component|Unknown                     |Connector:JK/AJP
           Keywords|                            |ErrorMessage,
                   |                            |NeedsReleaseNote
         Resolution|FIXED                       |
            Version|4.1.30                      |4.1.31




------- Additional Comments From sizing.tw@yahoo.com.tw  2005-03-02 19:22 -------
Finding: When the scanning tools guessed WEB-INF directory, the error message 
indicated that access to the directory was denied.  As a result, the error 
message confirmed the existence of this directory.

Tomcat response HTTP Status 404, while isapi_redirect.dll redirector responses 
Access forbidden!...., which is HTTP Status 403.

Example:
http://localhost:8080/WEB-INF/
Return: HTTP Status 404 - /WEB-INF/
This is correct.

http://localhost:80/WEB-INF/
Return: Access forbidden!
You don't have permission to access the requested object. It is either read-
protected or not readable by the server.

This should be 404, not 403.

I have checked the code, jakarta-tomcat-connectors-1.2.8-
src\jk\native\isapi\jk_isapi_plugin.c, at line 713, and it does response 403 
HTTP Status.  I cannot find the place to change it from configuration file 
except re-compile this redirector.

While directory listing is not strictly considered vulnerability, I suggest to 
response 404 HTTP Status to hide the directory, like Tomcat does now.

I found a link http://jakarta.apache.org/tomcat/connectors-doc/howto/iis.html 
mentions something like this:

Protecting the WEB-INF Directory 
...., this directory contains sensitive configurations data and Java classes 
and must be kept hidden from web users. Using the IIS management console it is 
possible to protect the WEB-INF directory from user access,.....

To avoid this need the redirector plugin automatically protects your WEB-INF 
directories by rejecting any request that contains WEB-INF in its URL-Path.

I tried to configure IIS, but it looks like jk_isapi gets higher priority to 
handle the request and always returns 403 status.  Without re-compile the 
program, how can I make IIS return 404 status?  Or maybe next release will do?

Recommendation from Cert: When an unauthorized user attempts to access a 
directory, they should receive an error message that doesn't confirm the 
existence of the directory.  Whether a user is trying to access a valid or 
invalid directory, they should receive the same error message.

My system environment:
Win 2K
Tomcat 4.1.31
IIS 5
JK-1.2.8 - isapi_redirect-1.2.8.dll binary version - 17 December




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message