By Date:	<-- -->
By Thread:	<-- -->

Security issue

From: Mark Thomas <markt (at) apache.org>
Date: Wed, 02 Aug 2006 23:25:12 -0400

Frank Peters wrote:
> Hi, 
> 
> I found the following security issue at security focus:
> 
> http://www.securityfocus.com/bid/19106/info
> 
> In my opinion, this issue is fixed with #37150 in 5.5.13 because directory listing is disabled by default, isn't it?
> 
> Regards
> Frank

In short, yes. It is open to debate whether this is a bug or not as
all the proofs provided are just Httpd and Tomcat behaving exactly as
expected for the given configuration. If the configuration isn't
secure then that isn't a security issue the products.

That being said, turning off directory listing by default is a
sensible thing to do from a security point of view.

Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users (at) tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe (at) tomcat.apache.org
For additional commands, e-mail: users-help (at) tomcat.apache.org

References:
- Security issue
  - From: "Frank Peters" <fun.peters (at) gmx.de>

Prev by Date: Virtual Hosting with Apache and mod_jk
Next by Date: Enabling https with a IBM JVM
Previous by thread: Security issue
Next by thread: Tomcat SAXParseException
Index(es):
- Main
- Thread