This did the work with Apache. I was trying to get rid of the semicolon but this seems better.
<LocationMatch "/.+">
AllowOverride None
Order deny,allow
Deny from all
Allow from none
</LocationMatch>
Now I have to decide between a tomcat 404 or an apache access denied
Thanks again
LeoOn 12/18/06, Leo Gil <leonardobgil@xxxxxxxxx> wrote:After hunting this problem down I found an easy fix on tomcat. So easy that upsets me...
Just setting listings to false did the trick on web.xml
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
I'm going to try LocationMatch it's better than displaying a tomcat 404
Thanks for your help
LeoOn 12/18/06, Nick Kew < nick@xxxxxxxxxxxx> wrote:On Mon, 18 Dec 2006 18:26:06 -0500
"Leo Gil" < leonardobgil@xxxxxxxxx> wrote:
> Hi all,
>
> I have been trying to block the Tomcat directory listing vulnerability
> using Apache's Directory with no success.
No chance. <Directory> applies to local files, not anything
served by tomcat. You want <LocationMatch>.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx