JWebMail / Java Webmail / Bugs / #45 Security: Move data directory to WEB-INF

#45 Security: Move data directory to WEB-INF

Milestone: mission critical

Status: open

Owner: nobody

Labels: servlet part (11)

Priority: 5

Updated: 2004-04-23

Created: 2004-04-23

Creator: Anonymous

Private: No

Change the default setup to move the webmail/data
directory to webmail/WEB-INF/data.

With the default setup, tomcat serves files from the
data directory, revealing accounts passwords and
configuration information. For instance, if johndoe is a
user account on localnet,
http://www.acme.com/webmail/data/localnet/johndoe.xm
l gives access to this user configuration file, and allows
brute force cracking of his password...

The simplest correction for this bug is to move
information which has to be secured under the
application WEB-INF directory as tomcat does not serve
content from that location.
The web.xml file has to be adapted to take this change
into account.

Discussion

Tony Grant - 2004-04-27

Logged In: YES
user_id=79894

OK this is where my spammer got in...

Thanks for the info.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Security: Move data directory to WEB-INF

Group

Searches

Help

#45 Security: Move data directory to WEB-INF

Discussion