Something is fishy with your server (or configuration) I cannot reproduce
that issue with 5.0.28 on windows.
-Tim
Brian Buchanan wrote:
Upgrade. In a short test on two of my servers, 5.0.28 on windows has this
WEB-INF. vulnerability, but 5.5.7 did not.
-----Original Message-----
From: "Alla Winter" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Date: Thu, 17 Nov 2005 14:19:13 -0600
Subject: How to set restrictions on the retreival of files from some
directories
BY default it is possible to retrieve files located under the 'WEB-INF'
directory. For example: www.someserver.com/WEB-INF./web.xml or
www.someserver.com/WEB-INF./classes/MySer
<http://www.someserver.com/WEB-INF./classes/MySer%20vlet.class>
vlet.class
What needs to be done to prevent it ? Why such restrictions are not
set by
default? This vulnerability prevents us to pass the security
certification
test
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
