Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PANIC: Huge security hole with webserving on OSXS?

Simple hack:
Tell apache to send *.JSP files to the servlet container too.

Another approach:
http://httpd.apache.org/docs/mod/mod_speling.html

If installed and used by Apache it allows case to be ignored
and also allows for other mistakes in the filename. If it
does not appear to be working, despite being installed and
configured, there may be module ordering issues to work out.


I don't use the Apache httpd that Apple provides out of the
box but Apache->mod_webapp->Tomcat does not appear to have
the problem mentioned below. It will, however, report that
foo.JSP does not exist, and send back a 404 (Not Found)
message to the client.

The way that mod_webapp works however is that everything in a
particular path, say everything in "/apps/" is handled by
Tomcat. It doesn't pattern match to *.jsp, which is probably
why it doesn't exhibit this behavior.


Peter


Didde wrote:
Hey..

Please, tell me that I am the culprit in this situation and that this is not a problem which lies with Apache on OSXS!

Apache is setup to serve up "static" content, and a Servlet Container (Tomcat or Caucho Resin) is set up to handle requests for *.jsp's. Now, the problem is: Apache on the Mac is case sensitive / not case sensitive.. Which means:

http://www.foo.bar/foo.jsp >> Goes to the Servlet Container and the Java code is processed.

http://www.foo.bar/foo.JSP >> Does not equal http://www.foo.bar/foo.jsp to Apache so it will serve up the Java code within the page to the client, UNPROCESSED!

Geeez, c'mon here.. There must be a way for Apache to know that *.JSP and *.jsp are the same thing?????

Please, anyone??

//Didde.
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.
References: 
 >PANIC: Huge security hole with webserving on OSXS? (From: Didde <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.