Warning: Security Hole With IIS & Tomcat

[Russell, Steve]

Hi; My company is running a jsp site on IIS 5 with windows 2000, and all of the security patches. We discovered that if we use tomcat or jrun 2.3.3 with IIS that that we have to set up the tomcat ( or jrun ) directories as virtual directories ___with execute permissions turned on__. This got us hacked into. I don't understand how.  It has something to do with how IIS handles malformed urls leaving IIS open to attacks if directories associated with a web site have execute permissions granted. Does Apache have a similar vulnerability?   Steve Russell Web Developer III ValueOptions - Lifescape 703-205-6589 [EMAIL PROTECTED]   ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. **********************************************************************