tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Security issue
Date Thu, 03 Aug 2006 03:25:12 GMT
Frank Peters wrote:
> Hi, 
> I found the following security issue at security focus:
> In my opinion, this issue is fixed with #37150 in 5.5.13 because directory listing is
disabled by default, isn't it?
> Regards
> Frank

In short, yes. It is open to debate whether this is a bug or not as
all the proofs provided are just Httpd and Tomcat behaving exactly as
expected for the given configuration. If the configuration isn't
secure then that isn't a security issue the products.

That being said, turning off directory listing by default is a
sensible thing to do from a security point of view.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message