Re: Block Tomcat's directory listing vulnerability with Directory and regex

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: Block Tomcat's directory listing vulnerability with Directory and regex
From: "Leo Gil" <leonardobgil@xxxxxxxxx>
Date: Mon, 18 Dec 2006 19:35:48 -0500
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <205c8aad0612181614k3edd16dcpe4cd915a2eb11070@xxxxxxxxxxxxxx>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
References: <205c8aad0612181526h298df1b1s432c3a61fe546cb8@xxxxxxxxxxxxxx> <20061219000204.623fea69@grimnir> <205c8aad0612181614k3edd16dcpe4cd915a2eb11070@xxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

This did the work with Apache. I was trying to get rid of the semicolon but this seems better.

<LocationMatch "/.+">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from none
</LocationMatch>

Now I have to decide between a tomcat 404 or an apache access denied

Thanks again

Leo

On 12/18/06, Leo Gil <leonardobgil@xxxxxxxxx> wrote:

After hunting this problem down I found an easy fix on tomcat. So easy that upsets me...

Just setting listings to false did the trick on web.xml

<init-param>

<param-name>listings</param-name>

<param-value>false</param-value>

</init-param>

I'm going to try LocationMatch it's better than displaying a tomcat 404

Thanks for your help

Leo

On 12/18/06, Nick Kew < nick@xxxxxxxxxxxx> wrote:
On Mon, 18 Dec 2006 18:26:06 -0500
"Leo Gil" < leonardobgil@xxxxxxxxx> wrote:

> Hi all,
>
> I have been trying to block the Tomcat directory listing vulnerability
> using Apache's Directory with no success.

No chance.  <Directory> applies to local files, not anything
served by tomcat.  You want <LocationMatch>.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: Block Tomcat's directory listing vulnerability with Directory and regex
  - From: Leo Gil

References:
- Block Tomcat's directory listing vulnerability with Directory and regex
  - From: Leo Gil
- Re: Block Tomcat's directory listing vulnerability with Directory and regex
  - From: Nick Kew
- Re: Block Tomcat's directory listing vulnerability with Directory and regex
  - From: Leo Gil

Prev by Date: Re: Block Tomcat's directory listing vulnerability with Directory and regex
Next by Date: Re: Block Tomcat's directory listing vulnerability with Directory and regex
Previous by thread: Re: Block Tomcat's directory listing vulnerability with Directory and regex
Next by thread: Re: Block Tomcat's directory listing vulnerability with Directory and regex
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux