Re: Block Tomcat's directory listing vulnerability with Directory and regex

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is better

<LocationMatch "/.+">
   Redirect / http://foo.com
</LocationMatch>



On 12/18/06, Leo Gil <leonardobgil@xxxxxxxxx> wrote:
This did the work with Apache. I was trying to get rid of the semicolon but this seems better.

<LocationMatch "/.+">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from none
</LocationMatch>

Now I have to decide between a tomcat 404 or an apache access denied

Thanks again

Leo


On 12/18/06, Leo Gil <leonardobgil@xxxxxxxxx> wrote:
After hunting this problem down I found an easy fix on tomcat. So easy that upsets me...

Just setting listings to false did the trick on web.xml

<init-param>

<param-name>listings</param-name>

<param-value>false</param-value>

</init-param>


I'm going to try LocationMatch it's better than displaying a tomcat 404

Thanks for your help

Leo

On 12/18/06, Nick Kew < nick@xxxxxxxxxxxx> wrote:
On Mon, 18 Dec 2006 18:26:06 -0500
"Leo Gil" < leonardobgil@xxxxxxxxx> wrote:

> Hi all,
>
> I have been trying to block the Tomcat directory listing vulnerability
> using Apache's Directory with no success.

No chance.  <Directory> applies to local files, not anything
served by tomcat.  You want <LocationMatch>.


--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux