I just tested on 5.0.28 and can't see anything under WEB-INF. Are you using Tomcat as a standalone or with a connector?
On Fri, 2005-11-18 at 14:15, Brian Buchanan wrote: > Upgrade. In a short test on two of my servers, 5.0.28 on windows has this > WEB-INF. vulnerability, but 5.5.7 did not. > > -----Original Message----- > From: "Alla Winter" <[EMAIL PROTECTED]> > To: <users@tomcat.apache.org> > Date: Thu, 17 Nov 2005 14:19:13 -0600 > Subject: How to set restrictions on the retreival of files from some > directories > > > BY default it is possible to retrieve files located under the 'WEB-INF' > > directory. For example: www.someserver.com/WEB-INF./web.xml or > > www.someserver.com/WEB-INF./classes/MySer > > <http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class> > > vlet.class > > > > What needs to be done to prevent it ? Why such restrictions are not > > set by > > default? This vulnerability prevents us to pass the security > > certification > > test > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
