https://bz.apache.org/bugzilla/show_bug.cgi?id=69752
Bug ID: 69752
Summary: HOST appBase = "" accepted as valid option
Product: Tomcat 9
Version: 9.0.102
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
The appBase argument for the Host-Element accepts an empty string "".
This leads to exposing all directories in the tomcat base directory to simple
requests like http://domain/conf/server.xml .
it's HIGHLY UNLIKELY that any user will ever leave this empty on purpose to do
exactly exposing his server config to the public this way.
Requested Fix:
set appBase to "webapps" if appBase :
- is found empty
- is the base directory
- is a symlink to the base directory
- is "conf" or contains "conf/"
never allow tomcat-users.xml or any security related file to be read.
I was shocked to see this be possible in the wild :(
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
