Menu
▾
▴
Re: [Wrapper-user] Wrapper flagged by security scanner
|
From: Leif M. <le...@ta...> - 2009-04-30 07:35:28
|
John, I am not clear what exactly your security scanner did to test the Wrapper. The Wrapper is used to launch various Java based applications and does not have an HTTP interface directly. It is possible that your security scanner is actually having a problem with the application run under the wrapper. The Wrapper itself is able to access parent directories to access its configuration file. There should be a wrapper.conf file located under the directory structure of the application containing the wrapper binary. If you would like to send me that on or off list, I can take a look at it and tell you what the Wrapper is being used to run. Cheers, Leif On Tue, Apr 28, 2009 at 4:27 AM, Weeks, John <Joh...@me...> wrote: > Hi, > > Programmers at our site are running the "wrapper" tool. Our security > scanner flagged this as a threat because it was able to use the "../../" > syntax to pull any random file (including the password file) off of the > server via HTTP. I am not JAVA-literate. Can anyone point me into the > right direction as far as how to configure wrapper to limit the directory > tree that it can see on this server? I know how to do this in Apache, but > wrapper appears to be running on its own TPC/IP port without using a web > server as a front end. > > -john- |
