Return-Path: 
 <tomcat-user-return-6314-qmlist-jakarta-archive-tomcat-user=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org
Received: (qmail 4723 invoked from network); 1 Jan 2002 23:23:33 -0000
Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131)
  by daedalus.apache.org with SMTP; 1 Jan 2002 23:23:33 -0000
Received: (qmail 5811 invoked by uid 97); 1 Jan 2002 23:23:18 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org
Received: (qmail 5780 invoked by uid 97); 1 Jan 2002 23:23:15 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 5757 invoked from network); 1 Jan 2002 23:23:15 -0000
Date: Wed, 2 Jan 2002 00:22:10 +0100 (CET)
From: <lupo@wolfcall.de>
X-X-Sender: <lupo@corpse.linkdead.de>
To: <tomcat-user@jakarta.apache.org>
Subject: has the use of mod_webapp a file disclosure vulnerability?
Message-ID: <Pine.LNX.4.33.0201012358320.28954-100000@corpse.linkdead.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Hello,

I just went the easy way to install Tomcat4 on linux via binary RPMs
(tomcat4-4.0-1, tomcat4-webapps-4.0-1) and configured my Apache/1.3.20
something like this:
<VirtualHost 10.1.1.1>
    DocumentRoot /var/www/virtual/testhost
    ServerName www.testhost.dom
<IfModule mod_webapp.c>
    WebAppDeploy examples warpConnection /examples/
</IfModule>
</VirtualHost>

The Apache Webserver has some handlers configured:
AddHandler server-parsed .shtml
AddHandler send-as-is asis

Now if I request any URL ending with ".shtml", the Apache server
handles the request itself (what may be perfectly legal), but it
ignores the DocumentRoot!
So a request for "http://www.testhost.dom/var/www/html/index.shtml"
tries to serve the file "/var/www/html/index.shtml" which is not
contained in the DocumentRoot of that virtual host. The server seems
to take "/" as the new DocumentRoot. This behaviour occurs whether
the Tomcat engine itself is running or not.

Is this a problem of the Apache Webserver, a flaw of mod_webapp or did
I just do something completely wrong in my configuration?

regards,
Markus "Lupo" Volk

-- 
Hardware, n.:
  The parts of a computer system that can be kicked.


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>