The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache + Tomcat: .htaccess, PHP & WEB-INF file exposure

Discussion in 'cPanel Developers' started by cothrun, Oct 25, 2004.

  1. cothrun

    cothrun Member

    Joined:
    Oct 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    This is sort of obvious but I thought I should bring it up for discussion of fixes.

    Enabling Tomcat on an account full of .php allows those files' source to be read through the Tomcat web server (default port 8080). So all the database passwords are hanging there out in the open, along with admin passwords on some webapps.

    Tomcat also displays .htaccess files.

    O'Reilley's Tomcat: The Definitive Guide suggests adding the following to the end of the $CATALINA_HOME/conf/web.xml file's servlet-mapping entries:
    Code:
        <servlet-mapping>
            <servlet-name>invoker</servlet-name>
            <url-pattern>*.htaccess</url-pattern>
        </servlet-mapping>
    
    Perhaps the above could be adapted to help with the PHP issues.

    Likewise, it appears the default Apache configuration exposes the WEB-INF and META-INF folders. Here is suggested code for dealing with this issue:
    Code:
    <LocationMatch "/WEB-INF/">
        AllowOverride None
        deny from all
    </LocationMatch>
    <LocationMatch "/META-INF/">
        AllowOverride None
        deny from all
    </LocationMatch>
    
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I tried that, but Tomcat wouldn't start.
     

Share This Page