> Our tomcat directory is C:\Tomcat
>
> Its outside of the inetpub heirarchy, but it is set up in IIS
> as a virtual
> directory with execute permissions open.
>
> Can hackers still exploit the malformed url handling in IIS
> with this set
> up?
I don't believe that the virtual dir will allow the traversal to
parent directories but don't take my word for it. You could always
give it a test yourself.
BTW, one solution is to leave tomcat installed on C: but move
your webapps to another dir along with inetpub. In server.xml
you can set your context docbase, i.e.
<Context path="/" docBase="d:/webapps"></Context>
---
Michael Wentzel
Software Developer
Software As We Think - http://www.aswethink.com