[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Again security violation in Cobalt Developer Kit for Java

Hi,

it may be important to all who use Cobalt Developer Kit for Java.
First:
Default configuration of Apache-Tomcat don't hide content of
WEB-INF directory and all below from web browsing. 
Default cobalt's configuration of access.conf:
<Directory /home/sites/siteN>
AllowOverride All
Options All
</Directory>
It allows to any visitor look and browse your WEB-INF and all below 
directories.
Try to check it: point your web browser to:
http://<yourdomain>/WEB-INF
http://<yourdomain>/WEB-INF/classes

You can disable such browsing to all directories of required virtual 
hosts by changing of access.conf as stated below:
<Directory /home/sites/siteN>
AllowOverride All
Options -Indexes
</Directory>

or see below, if you don't want disable browsing of entire virtual hosts.

Second:
if you already disable web browsing of directories, it is not all.
Cobalt's scripts don't disable access to files in WEB-INF.
Try to check it with pointing your browser to:
http://<yourdomain>/WEB-INF/web.xml

Your visitor can to see a name of your servlet from URL, can to download
your servlet by pointing his browser to 
http://<yourdomain>/WEB-INF/classes/<servletName.class>,
then decompile it and, for example, hack your user name and password
to your database.

To disable it, make such changes in httpd.conf:
<VirtualHost your.IP.address.here>
... snip ... various config directives ...
# add this new instructions:
<Directory "/WEB-INF">
  Options None
  Deny from all
</Directory>
# add it for each web-app you have installed:
<Directory "/<web-app path>/WEB-INF">
  Options None
  Deny from all
</Directory>

</VirtualHost>

After this correction your web applications will be protected from 
viewing and tampering.

Hope it will be helpful to all users of Cobalt's Tomcat implementation.

Regards,
Alex