On 22/11/2012 15:11, David Kerber wrote: > On 11/22/2012 8:35 AM, Aditi Sinha wrote: >> Thanks Guys. >> >> As per my reading of the suggested material and looking at the logs that >> Andre has shared, I think there are two ways in which the directory >> traversal attack could be made. >> >> 1. By having ..\ equivalents in the URL itself >> 2. By having ..\ equivalents in the request parameters. >> >> In my case, I am not worried about the request parameters since my >> application doesn't handle any such path related queries and all request >> parameters are signed by our client app. >> >> So, It would really help me narrow down on a course of action ff you guys >> can tell me - >> >> *Whether someone can get access to any file/directory outside the tomcat >> webapps folder using "Style 1 (using ..\ equivalent in the URL itself) >> Directory traversal attack (scoped to Tomcat) on Windows".*
Have you tried this? How does Tomcat respond? > You could certainly block that by ensuring that the user tomcat is > running under does not have permissions to anything outside the > directory where your webapp is deployed. That would provide defence in depth (e.g. in case of poor configuration) but is not required to prevent directory traversal. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
