tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Serious security problem with mod_jk?
Date Wed, 17 Dec 2008 16:24:08 GMT
Sorry for the top post; iphone iant the best email client in the world.

Try:

<Location "/*.jsp">
    Deny from all
</Location>

When configuring Apache httpd in front of Tomcat, you should set up  
lots of these types of rules to protect your (jsp) sources, WEB-INF,  
META-INF, etc.

-chris

On Dec 16, 2008, at 12:53, "Payne, George \(ghp5h\)" <ghp5h@eservices.virginia.edu 
 > wrote:

> This is a problem I've seen reported on very old versions of mod_jk,  
> but it
> seems (apparently) to have a new life in 1.2.27 and possibly other  
> recent
> versions.
>
>
>
> If a user puts a double slash (http://mysite.com//myapp/myjsp.jsp)  
> instead
> of a single slash in a url, apache does not recognize it as part of  
> a normal
> pattern (eg JkMount /myapp/*.jsp) to be forwarded to tomcat and  
> displays it
> as html/text instead of as a jsp, revealing the source.
>
>
>
> My system:
>
>
>
> Httpd: Apache 2.0.46
>
> Jk: 1.2.27 (from binary posted on
> http://apache.mirrors.timporter.net/tomcat/tomcat-connectors/jk/binaries/lin
> ux/jk-1.2.27/i386/mod_jk-1.2.27-httpd-2.0.61.so)
>
> Tomcat: 5.5.27
>
>
>
> I'd be happy to hear someone say I misconfigured something, but I'm  
> not sure
> what I could misconfigure to make this happen.
>
>
>
> I've worked around by doing things like
>
>
>
> JkMount /*.jsp ajp13
>
> JkMount /*.do ajp13
>
>
>
> Etc, but this is not a good solution.
>
>
>
> George Payne
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message