Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 90190 invoked from network); 17 Nov 2005 20:18:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 17 Nov 2005 20:18:38 -0000 Received: (qmail 67470 invoked by uid 500); 17 Nov 2005 20:18:25 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 67451 invoked by uid 500); 17 Nov 2005 20:18:24 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 67440 invoked by uid 99); 17 Nov 2005 20:18:24 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Nov 2005 12:18:24 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [66.80.60.32] (HELO mail.megapathdsl.net) (66.80.60.32) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Nov 2005 12:19:57 -0800 Received: from [66.80.232.194] (HELO Alla) by fe.mail.megapathdsl.net (CommuniGate Pro SMTP 4.3.8) with ESMTP id 119232564 for users@tomcat.apache.org; Thu, 17 Nov 2005 12:17:59 -0800 From: "Alla Winter" To: Subject: How to set restrictions on the retreival of files from some directories Date: Thu, 17 Nov 2005 14:19:13 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0052_01C5EB81.E3082EC0" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcXrtCz/4Oy1wiu7RGiQ5oDaAqQZkw== Message-ID: X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_NextPart_000_0052_01C5EB81.E3082EC0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit BY default it is possible to retrieve files located under the 'WEB-INF' directory. For example: www.someserver.com/WEB-INF./web.xml or www.someserver.com/WEB-INF./classes/MySer vlet.class What needs to be done to prevent it ? Why such restrictions are not set by default? This vulnerability prevents us to pass the security certification test ------=_NextPart_000_0052_01C5EB81.E3082EC0--