tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Security RISK !
Date Thu, 24 Oct 2002 11:08:24 GMT
401/404 - Forbidden vs not found doesn't matter as long as the intruder 
is forbidden. Relying on confusing the user is a nice technique to 
preventing intruders since it may waste more of their time and make them 
more likely to give up. But that may make others more determined to try 
to break in.

Depending on how apache is configured, the intruder will be able to view 
the HTTP response header and seeing you may be running mod_jk/mod_webapp 
or whatever. The intruder can also see if you are running jhtml,jsp, or 
/servlet/ - it will be easy to deduce you are using some servlet engine. 
Some servlet engines also set a session cookie per webapp. It would be 
easy to deduce that jsessionid cookie for /myfooapp indicates that 
/myfooapp is a webapp and it has a WEB-INF. So I will first ask for:
http://bar/myfooapp/WEB-INF/web.xml. And hope I have a novice config and 
next ask for: http://bar/myfooapp/WEB-INF/ to see if I can get a 
directory listing. Then the fun really begins.

Personally - I like my way better since I run multiple webapps on our 
servers. That way I don't have to explicitly protect each WEB-INF. 
(Which could get forgotten while installing a new webapp)

Veniamin Fichin wrote:
> Tim Funk wrote:
>> You'll want to protect your WEB-INF directory as well as any 
>> properties files. You can do that by using by the following in your 
>> httpd.conf: (This should be the syntax)
>> <Files ~ "\.properties$">
>>     Order allow,deny
>>     Deny from all
>>     Satisfy All
>> </Files>
>> <Directory ~ "/WEB-INF/">
>>     Order allow,deny
>>     Deny from all
>>     Satisfy All
>> </Directory>
> Recently I did something else. Say, I have a webapp named "mine" in 
> Tomcat, and have this line in httpd.conf:
> Alias  /mine /var/www/tomcat/webapps/mine/web
> I've made the "web" direcroty following recommendations described in 
> section Source Organization of Tomcat docs 
> (<>).
> So, instead of denying any access to WEB-INF directory, I wrote:
> Alias /mine/WEB-INF /something_that_does_not_exists
> And, when I access http://localhost/mine/WEB-INF , I get 404 Not found 
>  error instead of 403 Forbidden . I think you will be more confusive for 
> the intruder if he'll be told that WEB-INF don't even exists there.
> Or is this less secure to do that?

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message