tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <l...@wolfcall.de>
Subject Re: has the use of mod_webapp a file disclosure vulnerability?
Date Tue, 01 Jan 2002 23:24:02 GMT
Oops, a fatal error in my mail.

On Wed, 2 Jan 2002 lupo@wolfcall.de wrote:

> Hello,
> 
> I just went the easy way to install Tomcat4 on linux via binary RPMs
> (tomcat4-4.0-1, tomcat4-webapps-4.0-1) and configured my Apache/1.3.20
> something like this:
> <VirtualHost 10.1.1.1>
>     DocumentRoot /var/www/virtual/testhost
>     ServerName www.testhost.dom
> <IfModule mod_webapp.c>
>     WebAppDeploy examples warpConnection /examples/
The above line should read:
     WebAppDeploy examples warpConnection /
> </IfModule>
> </VirtualHost>
> 
> The Apache Webserver has some handlers configured:
> AddHandler server-parsed .shtml
> AddHandler send-as-is asis
> 
> Now if I request any URL ending with ".shtml", the Apache server
> handles the request itself (what may be perfectly legal), but it
> ignores the DocumentRoot!
> So a request for "http://www.testhost.dom/var/www/html/index.shtml"
> tries to serve the file "/var/www/html/index.shtml" which is not
> contained in the DocumentRoot of that virtual host. The server seems
> to take "/" as the new DocumentRoot. This behaviour occurs whether
> the Tomcat engine itself is running or not.
> 
> Is this a problem of the Apache Webserver, a flaw of mod_webapp or did
> I just do something completely wrong in my configuration?
> 
> regards,
> Markus "Lupo" Volk
> 
> 

-- 
Hardware, n.:
  The parts of a computer system that can be kicked.


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message