The problem is that Apache is serving the file and not forwarding the
request to Tomcat. Tomcat would *not* return the JSP contents for this URL,
it would return a 404 error.
I've heard this same problem from another user who is also using Apache
1.3.20. I can't duplicate the problem using Apache 1.3.19 so maybe
something changed in the latest version of Apache.
I'd go back to Apache 1.3.19 and see if that fixes the problem. Another
solution is to add the following line to your mod_jk.conf file
JkMount /bar/* ajp13
This will send requests for *all* resources in your webapp to Tomcat. Yes,
it may degrade performance a little bit, but it makes certain that Tomcat
remains in complete control over the security of *all* resources inside the
webapp. A lot of effort has gone into preventing protected webapp resources
from being served by Tomcat. If you open things up to an outside party then
you have to make sure that party obeys all the same rules.
Marc Saegesser
> -----Original Message-----
> From: RoMaN SoFt / LLFB !! [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 21, 2001 7:40 AM
> To: [EMAIL PROTECTED]
> Subject: Security issues with Tomcat 3.2.x
>
>
>
> Hi.
>
> I'm using Jakarta Tomcat 3.2.2 with Apache 1.3.20 / mod_jk (Linux)
> and I have some security-related questions:
>
> 1) I've read 3.2.3 is the latest available version for 3.2.x branch
> and that it covers a security issue. What's about this security issue
> and where could I read more about this issue? Could it be the
> "2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability"
> (http://www.securityfocus.com/vdb/bottom.html?vid=2982)?
>
> 2) Is there any patch or is it planned a future release to cover the
> "2001-08-16: Jakarta Tomcat 3.2.1 Error Message Information Disclosure
> Vulnerability" issue?
> (http://www.securityfocus.com/vdb/bottom.html?vid=3199)
>
> 3) The following is a security issue I'm experiencing. It may be a
> configuration error made by myself or perhaps some bug? I need some
> help. Let's suppose you have a working .jsp page:
> http://www.foo.com/bar/home.jsp. Then if you use the following url the
> .jsp source is showed instead of beeing executed by Tomcat:
> http://www.foo.com/\bar/home.jsp. This is the way I'm using to mount
> the context (excerpt from mod_jk.conf file):
>
> Alias /bar /usr/local/tomcat/webapps/bar
>
> JkMount /bar/*.jsp ajp13
> JkMount /bar/*.xml ajp13
> JkMount /bar/servlet/* ajp13
>
> <Location /bar/WEB-INF/ >
> AllowOverride None
> deny from all
> </Location>
>
> <Location "/bar/META-INF/">
> AllowOverride None
> deny from all
> </Location>
>
> Am I missing something or the \ trick is a bug? Any workaround?
>
> Thanks in advance!
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> ** RoMaN SoFt / LLFB **
> [EMAIL PROTECTED]
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
