Upgrade. In a short test on two of my servers, 5.0.28 on windows has this WEB-INF. vulnerability, but 5.5.7 did not.
-----Original Message----- From: "Alla Winter" <[EMAIL PROTECTED]> To: <users@tomcat.apache.org> Date: Thu, 17 Nov 2005 14:19:13 -0600 Subject: How to set restrictions on the retreival of files from some directories > BY default it is possible to retrieve files located under the 'WEB-INF' > directory. For example: www.someserver.com/WEB-INF./web.xml or > www.someserver.com/WEB-INF./classes/MySer > <http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class> > vlet.class > > What needs to be done to prevent it ? Why such restrictions are not > set by > default? This vulnerability prevents us to pass the security > certification > test > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
