Apache + Tomcat: .htaccess, PHP & WEB-INF file exposure

cothrun

Member
Oct 22, 2003
19
0
151
This is sort of obvious but I thought I should bring it up for discussion of fixes.

Enabling Tomcat on an account full of .php allows those files' source to be read through the Tomcat web server (default port 8080). So all the database passwords are hanging there out in the open, along with admin passwords on some webapps.

Tomcat also displays .htaccess files.

O'Reilley's Tomcat: The Definitive Guide suggests adding the following to the end of the $CATALINA_HOME/conf/web.xml file's servlet-mapping entries:
Code:
    <servlet-mapping>
        <servlet-name>invoker</servlet-name>
        <url-pattern>*.htaccess</url-pattern>
    </servlet-mapping>
This maps all requests for .htaccess in all web applications to the invoker servlet, which in turn will generate an "HTTP 404: Not Found" error page because it can't load a servlet class by that name. Technically, this is bad form, since if Tomcat could find and load a class by the requested name (.htaccess), it might run that class instead of reporting an error. However, class names can't begin with a period, so this is a pretty safe solution.

Additionally, if you're not using the invoker servlet, you should disable it; if it's disabled, you can't map requests for specific names. The proper way to configure Tomcat not to serve .htaccess files is to write, compile, and configure a custom error-generating servlet to which you can map these forbidden requests.
Perhaps the above could be adapted to help with the PHP issues.

Likewise, it appears the default Apache configuration exposes the WEB-INF and META-INF folders. Here is suggested code for dealing with this issue:
Code:
<LocationMatch "/WEB-INF/">
    AllowOverride None
    deny from all
</LocationMatch>
<LocationMatch "/META-INF/">
    AllowOverride None
    deny from all
</LocationMatch>
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
cothrun said:
Tomcat also displays .htaccess files.

O'Reilley's Tomcat: The Definitive Guide suggests adding the following to the end of the $CATALINA_HOME/conf/web.xml file's servlet-mapping entries:
Code:
    <servlet-mapping>
        <servlet-name>invoker</servlet-name>
        <url-pattern>*.htaccess</url-pattern>
    </servlet-mapping>
I tried that, but Tomcat wouldn't start.