tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <l...@wolfcall.de>
Subject has the use of mod_webapp a file disclosure vulnerability?
Date Tue, 01 Jan 2002 23:22:10 GMT
Hello,

I just went the easy way to install Tomcat4 on linux via binary RPMs
(tomcat4-4.0-1, tomcat4-webapps-4.0-1) and configured my Apache/1.3.20
something like this:
<VirtualHost 10.1.1.1>
    DocumentRoot /var/www/virtual/testhost
    ServerName www.testhost.dom
<IfModule mod_webapp.c>
    WebAppDeploy examples warpConnection /examples/
</IfModule>
</VirtualHost>

The Apache Webserver has some handlers configured:
AddHandler server-parsed .shtml
AddHandler send-as-is asis

Now if I request any URL ending with ".shtml", the Apache server
handles the request itself (what may be perfectly legal), but it
ignores the DocumentRoot!
So a request for "http://www.testhost.dom/var/www/html/index.shtml"
tries to serve the file "/var/www/html/index.shtml" which is not
contained in the DocumentRoot of that virtual host. The server seems
to take "/" as the new DocumentRoot. This behaviour occurs whether
the Tomcat engine itself is running or not.

Is this a problem of the Apache Webserver, a flaw of mod_webapp or did
I just do something completely wrong in my configuration?

regards,
Markus "Lupo" Volk

-- 
Hardware, n.:
  The parts of a computer system that can be kicked.


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message