Bug report #565 has just been filed. You can view the report at the following URL: <http://znutar.cortexity.com/BugRatViewer/ShowReport/565> REPORT #565 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: 3.2 JVM Release: 1.3 Operating System: Linux OS Release: RH6.2 Platform: Linux Synopsis: Security prob: WEB-INF directory is viewable Description: The contents of "hidden" directories like WEB-INF can actually be read by simply placing a double slash "//" before WEB-INF, like so: http://localhost:8080/examples//WEB-INF There may be files inside this or other similar directories which the user does not want to be seen.Title: BugRat Report # 565
BugRat Report # 565
| Project: Tomcat | Release: 3.2 |
| Category: Bug Report | SubCategory: New Bug Report |
| Class: swbug | State: received |
| Priority: high | Severity: critical |
|
Confidence:
public
|
Submitter:
Ramon Casha ( [EMAIL PROTECTED] )
Date Submitted:
Dec 11 2000, 02:58:12 CST
Responsible:
Z_Tomcat Alias ( [EMAIL PROTECTED] )
- Synopsis:
- Security prob: WEB-INF directory is viewable
- Environment: (jvm, os, osrel, platform)
- 1.3, Linux, RH6.2, Linux
- Additional Environment Description:
- When tomcat is used with apache, apache will hide these directories correctly, but if tomcat is directly accessible by giving the port number it opens up this loophole just the same.
- Report Description:
- The contents of "hidden" directories like WEB-INF can actually be read by simply placing a double slash "//" before WEB-INF, like so: http://localhost:8080/examples//WEB-INF There may be files inside this or other similar directories which the user does not want to be seen.
