lucy wrote: >a couple of the replies look exploitative and will not be giving out the web address. > But I'm genuinely seeking an answer, as I was able to open the web.xml file under >the WEB-INF dir and read confidential parameters. > >I have been blithely telling clients that the big advantage of Java servlets is that >they're much better and more secure than Asps, an uphill task in this MS world. Like >Gin Chen, I was always thought this area was protected, a strong point in servlets >usage. I'm so concerned that I'm now planning to go back over my own non-intranet >servlet work to see if any of mine are similarly 'open access'. I deal with small >businesses who have various webserver setups, outside my control. So how can this >happen, that the web.xml can be read. Cheers, Lucy > > You need to be pretty careful about assuming that _anything_ is unreadable - we've been doing some reasearch on servlets and JSP containers and many of them have bugs which expose WEB-INF when confronted with sneaky requests.
(If you want details - drop [EMAIL PROTECTED] an email.) Tim. URL: http://www.westpoint.ltd.uk/ - internet recon. ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
