DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 --- Additional Comments From [EMAIL PROTECTED] 2005-04-29 22:12 --- Where exactly in the spec does it say to return 404 instead of 403? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2005-03-17 13:07 --- Fixed in the CVS for mod_jk. Thanks for spotting that we did not follow the Servlet spec. Mladen -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 [EMAIL PROTECTED] changed: What|Removed |Added Status|CLOSED |REOPENED Component|Unknown |Connector:JK/AJP Keywords||ErrorMessage, ||NeedsReleaseNote Resolution|FIXED | Version|4.1.30 |4.1.31 --- Additional Comments From [EMAIL PROTECTED] 2005-03-02 19:22 --- Finding: When the scanning tools guessed WEB-INF directory, the error message indicated that access to the directory was denied. As a result, the error message confirmed the existence of this directory. Tomcat response HTTP Status 404, while isapi_redirect.dll redirector responses Access forbidden!, which is HTTP Status 403. Example: http://localhost:8080/WEB-INF/ Return: HTTP Status 404 - /WEB-INF/ This is correct. http://localhost:80/WEB-INF/ Return: Access forbidden! You don't have permission to access the requested object. It is either read- protected or not readable by the server. This should be 404, not 403. I have checked the code, jakarta-tomcat-connectors-1.2.8- src\jk\native\isapi\jk_isapi_plugin.c, at line 713, and it does response 403 HTTP Status. I cannot find the place to change it from configuration file except re-compile this redirector. While directory listing is not strictly considered vulnerability, I suggest to response 404 HTTP Status to hide the directory, like Tomcat does now. I found a link http://jakarta.apache.org/tomcat/connectors-doc/howto/iis.html mentions something like this: Protecting the WEB-INF Directory , this directory contains sensitive configurations data and Java classes and must be kept hidden from web users. Using the IIS management console it is possible to protect the WEB-INF directory from user access,. To avoid this need the redirector plugin automatically protects your WEB-INF directories by rejecting any request that contains WEB-INF in its URL-Path. I tried to configure IIS, but it looks like jk_isapi gets higher priority to handle the request and always returns 403 status. Without re-compile the program, how can I make IIS return 404 status? Or maybe next release will do? Recommendation from Cert: When an unauthorized user attempts to access a directory, they should receive an error message that doesn't confirm the existence of the directory. Whether a user is trying to access a valid or invalid directory, they should receive the same error message. My system environment: Win 2K Tomcat 4.1.31 IIS 5 JK-1.2.8 - isapi_redirect-1.2.8.dll binary version - 17 December -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 --- Additional Comments From [EMAIL PROTECTED] 2004-12-15 17:52 --- (In reply to comment #5) Fixed in the CVS. Hi again. Thank you very much for the correction of the bug. Meanwhile, is there any possibility for you to compile the code and send it to me? I'm very desperate because we'll have an inspection team looking at our code (and bugs) tomorrow and i have no time to compile the entire project. I would have even to install VC++, since i don't have it installed in my machine. So, please, can you help me in this issue? Many thanks. Hugo Mendonça -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 --- Additional Comments From [EMAIL PROTECTED] 2004-12-14 17:25 --- (In reply to comment #1) WEB-INF is protected folder. The log file says: HttpFilterProc [/web-inf./web.xml] points to the web-inf or meta-inf directory. Somebody try to hack into the site!!! So what's unclear? Like i said clearly in the last thread IIS service stops. That's the problem! Imagine a have a Web Server and a Hacker. If the hacker tries to make GET /WEB- INF./web.xml http/1.1 every 1 minute (or so), my Web Server will stop every time, because IIS Stops. I know that WEB-INF is protected but that does not mean that he simply throws down IIS everytime somebody tries to access it. It makes no sense at all! I believe this is not a normal behaviour. What's your opinion? Tks. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|CLOSED --- Additional Comments From [EMAIL PROTECTED] 2004-12-14 20:35 --- Fixed in the CVS. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID | --- Additional Comments From [EMAIL PROTECTED] 2004-12-14 19:56 --- You are correct. The IIS really shuts down. I'll fix that security hole ASAP. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2004-12-14 20:20 --- Fixed in the CVS. The patch will be available for testing in beta-4 if released or at 1.2.8 -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32696] - WEB-INF protection stops IIS
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32696. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32696 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2004-12-14 16:43 --- WEB-INF is protected folder. The log file says: HttpFilterProc [/web-inf./web.xml] points to the web-inf or meta-inf directory. Somebody try to hack into the site!!! So what's unclear? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]