Mark Thomas wrote:
Single ajp13 worker jkMount /jsp-examples/* worker1 A simple 'hello world' html file was created at (directories created where required): <appBase>/jsp-examples/%2e%2e/servlets-examples/index.html Test 1: Tomcat only http://localhost:8080/jsp-examples/%252e%252e/servlets-examples/index.html This correctly showed the index.html I created above.
But this is oxymoron. You wish to serve the content from servlets-examples with only jsp-examples mounted. This is also the exact reason of CVE-2007-1860.
My expectation is that: A) A request for http://host:port/jsp-examples/%252e%225e/servlets-examples/index.html returns the correct file for Tomcat standalone and httpd + mod_jk + Tomcat
Use 'JkMount /* worker1' if you need something like that. The entire point of the story is that if you have *only* JkMount /jsp-examples/* then *only* that Context is allowed to be served. Even hitting the Tomcat (that happens with < 1.2.24) is a security break. Regards, Mladen. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
