Hello, if I place e.g. calc.exe in the root folder of a stock Tomcat, it doesn’t seem to work:
curl http://localhost/calc.exe -vv --> exe is found curl http://localhost/calc.exe/ -vv --> I receive a 404 error It seems your application is somehow allowing the download or your configuration. Perhaps you can first try to figure out which part of your configuration / application is causing the download. I would start with inspecting the web.xml and follow the path. Greetings, Thomas > -----Ursprüngliche Nachricht----- > Von: bharath Kumar <bharathkris...@gmail.com> > Gesendet: Mittwoch, 22. Juni 2022 11:38 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's > from downloading > > Hi team, > > Any help on this ? > > Further this exe(*abc.exe*) downloads when i hit on the url* > http://server_name/abc.exe/ <http://server_name/abc.exe/> * and is > happening only in *Tomcat *not with *IIS*. > > > Tomcat : > *http://<server_name:Port>/abc.exe* -- exe is not getting downloaded > *http://<server_name:Port>/abc.exe/* -- exe is getting downloaded on > the browser where we hit > > > IIS: > > *http://<server_name:Port>/abc.exe/ - No issue* > *http://<server_name:Port>/abc.exe - **No issue* > > > My Intention is not to download the abc.exe ... I have a CGI > application(abc.exe) that opens up my application > > > Below is my web.xml configuration: > > <servlet-mapping> > <servlet-name>abc</servlet-name> > <url-pattern>/abc.exe</url-pattern> > </servlet-mapping> > > > > Can you please help how to stop downloading the CGI application( > *http://<server_name:Port>/abc.exe/* ) from being downloading (I am > trying to fix the CGI Vulnerability) > > Thanks, > Bharath > > On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH) > <thomas.hoffm...@speed4trade.com.invalid> wrote: > > > Hello, > > > > maybe this stackoverflow page helps already: > > > > https://stackoverflow.com/questions/9862746/restrict-allow-file-access > > -in-tomcat-based-on-file-extension-via-whitelist > > > > Your snippet of the web.xml is just a configuration if an unknown servlet. > > If the corresponding servlet is custom, you need to get in touch with > > the developer. > > > > Greetings, > > Thomas > > > > > -----Ursprüngliche Nachricht----- > > > Von: bharath Kumar <bharathkris...@gmail.com> > > > Gesendet: Montag, 20. Juni 2022 12:43 > > > An: Tomcat Users List <users@tomcat.apache.org> > > > Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to > > > restrict > > exe's > > > from downloading > > > > > > Sure Olaf will update it > > > > > > On Mon, Jun 20, 2022 at 3:33 PM Olaf Kock <tom...@olafkock.de> wrote: > > > > > > > > > > > On 20.06.22 11:51, bharath Kumar wrote: > > > > > Hi Team, > > > > > > > > > > I am using apache Tomcat 8 version, > > > > > > > > > > *Problem statement: * > > > > > > > > > > My application's accessible URL format is > > > > > *http://<server_name>/abc/xyz.exe* > > > > > > > > A good way to get the question answered would be to answer the > > > > comments on your identical Stackoverflow post > > > > > > > > https://stackoverflow.com/q/72658556/13447 > > > > > > > > If someone is asking for clarification, that's typically because > > > > they need more information and it typically doesn't help asking > > > > elsewhere without providing that additional information. And > > > > abandoning the original place isn't too helpful as well. > > > > > > > > Also: Please don't crosspost without referencing all places where > > > > you posted - otherwise you're just generating duplicate work as > > > > nobody knows what has already been discussed elsewhere. > > > > > > > > Thank you, > > > > > > > > Olaf > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
