Change the default setup to move the webmail/data
directory to webmail/WEB-INF/data.
With the default setup, tomcat serves files from the
data directory, revealing accounts passwords and
configuration information. For instance, if johndoe is a
user account on localnet,
http://www.acme.com/webmail/data/localnet/johndoe.xm
l gives access to this user configuration file, and allows
brute force cracking of his password...
The simplest correction for this bug is to move
information which has to be secured under the
application WEB-INF directory as tomcat does not serve
content from that location.
The web.xml file has to be adapted to take this change
into account.
Logged In: YES
user_id=79894
OK this is where my spammer got in...
Thanks for the info.