tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Serious security problem with mod_jk?
Date Wed, 17 Dec 2008 19:48:55 GMT
No Ipod here, but since even the master started top-posting..

You can also use something like

SetEnvIf REQUEST_URI "\.(htm|web|css|gif|jpg|js|html?)$" no-jk

Ooops, no, that's the opposite effect.
Might still be useful though.

See the end of this page for a whole bag of tricks like that :
http://tomcat.apache.org/connectors-doc/reference/apache.html


Christopher Schultz wrote:
> Sorry for the top post; iphone iant the best email client in the world.
> 
> Try:
> 
> <Location "/*.jsp">
>    Deny from all
> </Location>
> 
> When configuring Apache httpd in front of Tomcat, you should set up lots 
> of these types of rules to protect your (jsp) sources, WEB-INF, 
> META-INF, etc.
> 
> -chris
> 
> On Dec 16, 2008, at 12:53, "Payne, George \(ghp5h\)" 
> <ghp5h@eservices.virginia.edu> wrote:
> 
>> This is a problem I've seen reported on very old versions of mod_jk, 
>> but it
>> seems (apparently) to have a new life in 1.2.27 and possibly other recent
>> versions.
>>
>>
>>
>> If a user puts a double slash (http://mysite.com//myapp/myjsp.jsp) 
>> instead
>> of a single slash in a url, apache does not recognize it as part of a 
>> normal
>> pattern (eg JkMount /myapp/*.jsp) to be forwarded to tomcat and 
>> displays it
>> as html/text instead of as a jsp, revealing the source.
>>
>>
>>
>> My system:
>>
>>
>>
>> Httpd: Apache 2.0.46
>>
>> Jk: 1.2.27 (from binary posted on
>> http://apache.mirrors.timporter.net/tomcat/tomcat-connectors/jk/binaries/lin 
>>
>> ux/jk-1.2.27/i386/mod_jk-1.2.27-httpd-2.0.61.so)
>>
>> Tomcat: 5.5.27
>>
>>
>>
>> I'd be happy to hear someone say I misconfigured something, but I'm 
>> not sure
>> what I could misconfigure to make this happen.
>>
>>
>>
>> I've worked around by doing things like
>>
>>
>>
>> JkMount /*.jsp ajp13
>>
>> JkMount /*.do ajp13
>>
>>
>>
>> Etc, but this is not a good solution.
>>
>>
>>
>> George Payne
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message