6 Replies Latest reply on Mar 28, 2005 12:32 PM by panu viljamaa

    Security Threat

    panu viljamaa Newbie

      ON JBOSS 4.0.1 if I enter the URL:

      http://myhost/web-inf/web.xml


      it works pretty much like it should, reporting a 404.
      However, if I add a period inside the URL as follows:

      http://myhost/web-inf./web.xml


      the browser now shows me the contents of the file 'web.xml' !

      This to me seems to a pretty Serious Security Threat. It works this way for my other webapps too, showing their configuration file to anyone who knows about this trick. For instance:

      http://myhost/myWebAppweb-inf./web.xml


      What's the best way to hide the contents of these web.xml files?
      Are there other known exploits with '.' in jboss/tomcat URLs, to display files whose content should be hidden from end-users?

      Thanks
      -panuv