tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Security issue
Date Thu, 03 Aug 2006 03:25:12 GMT
Frank Peters wrote:
> Hi, 
> 
> I found the following security issue at security focus:
> 
> http://www.securityfocus.com/bid/19106/info
> 
> In my opinion, this issue is fixed with #37150 in 5.5.13 because directory listing is
disabled by default, isn't it?
> 
> Regards
> Frank

In short, yes. It is open to debate whether this is a bug or not as
all the proofs provided are just Httpd and Tomcat behaving exactly as
expected for the given configuration. If the configuration isn't
secure then that isn't a security issue the products.

That being said, turning off directory listing by default is a
sensible thing to do from a security point of view.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message