Hi,
it may be important to all who use Cobalt Developer Kit for Java.
First:
Default configuration of Apache-Tomcat don't hide content of
WEB-INF directory and all below from web browsing.
Default cobalt's configuration of access.conf:
<Directory /home/sites/siteN>
AllowOverride All
Options All
</Directory>
It allows to any visitor look and browse your WEB-INF and all below
directories.
Try to check it: point your web browser to:
http://<yourdomain>/WEB-INF
http://<yourdomain>/WEB-INF/classes
You can disable such browsing to all directories of required virtual
hosts by changing of access.conf as stated below:
<Directory /home/sites/siteN>
AllowOverride All
Options -Indexes
</Directory>
or see below, if you don't want disable browsing of entire virtual hosts.
Second:
if you already disable web browsing of directories, it is not all.
Cobalt's scripts don't disable access to files in WEB-INF.
Try to check it with pointing your browser to:
http://<yourdomain>/WEB-INF/web.xml
Your visitor can to see a name of your servlet from URL, can to download
your servlet by pointing his browser to
http://<yourdomain>/WEB-INF/classes/<servletName.class>,
then decompile it and, for example, hack your user name and password
to your database.
To disable it, make such changes in httpd.conf:
<VirtualHost your.IP.address.here>
.... snip ... various config directives ...
# add this new instructions:
<Directory "/WEB-INF">
Options None
Deny from all
</Directory>
# add it for each web-app you have installed:
<Directory "/<web-app path>/WEB-INF">
Options None
Deny from all
</Directory>
</VirtualHost>
After this correction your web applications will be protected from
viewing and tampering.
Hope it will be helpful to all users of Cobalt's Tomcat implementation.
Regards,
Alex
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers