f



Block Tomcat 5.5 Directory listing vulnerability with Apache <Directory>

Hi all,

I have been trying to block the Tomcat directory listing vulnerability
using Apache's Directory with no success.

Has anyone been able to fix that? We can't upgrade Tomcat as
recommended by the CVE, and that flaw is also present on versions above
5.5.17

Here is the vulnerability:
http://www.securityfocus.com/bid/19106/exploit

Basically any url like http://foo.com/; (with a semicolon at the end)
displays the directory files

This is what I'm trying to do:

<Directory ~ "^\;">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from none
</Directory>

I have tried a couple different regexes but nothing worked so far

Thank you

Leo

0
leonardobgil
12/18/2006 11:14:52 PM
comp.infosystems.servers.unix 3274 articles. 0 followers. Post Follow

1 Replies
455 Views

Similar Articles

[PageSpeed] 47

"leonardobgil@gmail.com" <leonardobgil@gmail.com> said:
>I have been trying to block the Tomcat directory listing vulnerability
>using Apache's Directory with no success.

At least as a first reaction, <Directory> is not the correct directive
for this: the requests that are forwarded to Tomcat never reach the
"directory space" from Apache point-of-view. <Location> might be
a better guess - but even then it's a question of precedence between
the <Location> entry and whatever you're using to forward requests
to Tomcat (mod_proxy, mod_jk).
-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
0
Juha
12/20/2006 4:12:03 PM
Reply: