On 11/22/2012 8:35 AM, Aditi Sinha wrote:
Thanks Guys.
As per my reading of the suggested material and looking at the logs that
Andre has shared, I think there are two ways in which the directory
traversal attack could be made.
1. By having ..\ equivalents in the URL itself
2. By having ..\ equivalents in the request parameters.
In my case, I am not worried about the request parameters since my
application doesn't handle any such path related queries and all request
parameters are signed by our client app.
So, It would really help me narrow down on a course of action ff you guys
can tell me -
*Whether someone can get access to any file/directory outside the tomcat
webapps folder using "Style 1 (using ..\ equivalent in the URL itself)
Directory traversal attack (scoped to Tomcat) on Windows".*
You could certainly block that by ensuring that the user tomcat is
running under does not have permissions to anything outside the
directory where your webapp is deployed.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
