tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject has the use of mod_webapp a file disclosure vulnerability?
Date Tue, 01 Jan 2002 23:22:10 GMT

I just went the easy way to install Tomcat4 on linux via binary RPMs
(tomcat4-4.0-1, tomcat4-webapps-4.0-1) and configured my Apache/1.3.20
something like this:
    DocumentRoot /var/www/virtual/testhost
    ServerName www.testhost.dom
<IfModule mod_webapp.c>
    WebAppDeploy examples warpConnection /examples/

The Apache Webserver has some handlers configured:
AddHandler server-parsed .shtml
AddHandler send-as-is asis

Now if I request any URL ending with ".shtml", the Apache server
handles the request itself (what may be perfectly legal), but it
ignores the DocumentRoot!
So a request for "http://www.testhost.dom/var/www/html/index.shtml"
tries to serve the file "/var/www/html/index.shtml" which is not
contained in the DocumentRoot of that virtual host. The server seems
to take "/" as the new DocumentRoot. This behaviour occurs whether
the Tomcat engine itself is running or not.

Is this a problem of the Apache Webserver, a flaw of mod_webapp or did
I just do something completely wrong in my configuration?

Markus "Lupo" Volk

Hardware, n.:
  The parts of a computer system that can be kicked.

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message