tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alla Winter" <a...@cobrasource.com>
Subject How to set restrictions on the retreival of files from some directories
Date Thu, 17 Nov 2005 20:19:13 GMT
BY default it is possible to retrieve files located under the 'WEB-INF'
directory. For example: www.someserver.com/WEB-INF./web.xml or
www.someserver.com/WEB-INF./classes/MySer
<http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class>  vlet.class

What needs to be done to prevent it ?   Why such restrictions are not set by
default?  This vulnerability prevents us to pass the security certification
test


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message