There is a security hole on Jetty 3 servers running on NT or
other case insensitive file systems. The problem allows
security constrainst protecting files within the docroot
to be accessed by using different combinations of
character case.
For example, Jetty protects the contents of WEB-INF with a URL
path match against /WEB-INF/*
Unfortunately, a request for /WeB-iNf/web.xml will get past the
security check, but ResourceHandler will still serve the
file as the filesystem finds it with a case insensitive match.
This will also effect any security-constraints defined in web.xml
Currently there is no fix for this problem, other than listing
every case combination in the web.xml and webdefaults.xml files.
Alternately, contexts can be defined for the secure documents
and security constraints can be made on the default path "/"
which does not contain any alphabetic characters.
We are working on a real fix for release ASAP.
--
Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)2074394045
Mort Bay Consulting Australia and UK. Mbl Phone: +44-(0)7775534369
http://www.mortbay.com AU Phone: +61-(0)2 99772395
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
