Re: security hole on windows Apache -> Tomcat?

[Paul Sundling]

You actually do can that if you had a servlet on the outside that 
forwarded the request to the appropriate JSPs.    A simple example is if 
you use the struts framework, the following is an example of how you 
could use that approach.  I just tested it and it worked fine:

[snip from struts-config.xml]
      <action
           path="/Welcome"
           type="org.apache.struts.actions.ForwardAction"
           parameter="/WEB-INF/inside.jsp"/>
[end snip]
Angus Mezick wrote:

Not at the current late stage of development we are currently in.  I
know, it bites.  I am going to try a trick with RedirectMatch.  Maybe
just redirect them into limbo, I don't know.
 

-----Original Message-----
From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 13, 2003 11:45 AM
To: Tomcat Users List
Subject: RE: security hole on windows Apache -> Tomcat?

Can you arrange your file layout in a way, that the jsp's aren't 
under the document root for apache ? (I guess they are, otherwise
apache couldn't show them)

   

-----Original Message-----
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 5:34 PM
To: Tomcat Users List
Subject: RE: security hole on windows Apache -> Tomcat?
I ONLY see the problem in apache.  So I think it is a 
     

config problem.
   

Will the jk2 URI :
[uri:www.SITENAME.org/*.jsp]  catch www.SITENAME.org/index.jsp%20 ?
When I turn on the accessvalve tomcat doesn't see this request.
     

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
   

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]