tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Muhlestein <den...@zserve.com>
Subject Re: Security RISK !
Date Tue, 22 Oct 2002 18:05:01 GMT
One issue I am aware of, but may not apply, is that apache I think has a
setting that can autofill in file extensions for you.  If you put the
files in the same folder you may want to check for that.

If you map *.jsp to go to tomcat, index.jsp goes to tomcat.  But if you
type in /index apache, under that circumstance, would show the source of
the jsp. 

There is also an issue with tomcat 4.0.4 and before if you type in the
default servlet with the jsp name as an extension, it'll show the
source.  That is with or without apache though.

-Dennis

On Tue, 2002-10-22 at 10:23, Sigurður Bjarnason wrote:
> 
> Hi all
> 
> I am using apache 1.3 and tomcat 4.0.4 together
> 
> I use apache to serve all the static content, witch I have a special directory for and
Tomcat serve all the jsp and servlet stuff..
> 
> The question is.. is there any security risk if I Have the Apache DocumentRoot pointing
straight to the webapps folder ?!
> ¨
> Best Regards
> Siggi
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message