'RE: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading
From:       "Scott,Tim" <Tim.Scott () oclc ! org>
Date:       2022-06-22 10:11:48
Message-ID: PH0PR06MB8064165E221E391018CFE5898CB29 () PH0PR06MB8064 ! namprd06 ! prod ! outlook ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi all,

As a side note, can we all try not to have a URL with something like "abc.exe" in?

Several firewall implementations will refuse to navigate there, even though we all \
know the intention is not to have it download. Trying to explain that to some people \
is more difficult than avoiding the problem.

If it's just for a small number of people you know and that won't be a problem for \
them, then fine.

We use:
    <servlet-mapping>
        <servlet-name>cgi</servlet-name>
        <url-pattern>/theApp.exe</url-pattern>
    </servlet-mapping>

    <welcome-file-list>
        <!-- Use theApp as the default application -->
        <welcome-file>theApp.exe</welcome-file>
    </welcome-file-list>

This hides the "theApp.exe" from the browser so such firewalls never know / \
interfere.

Thanks,
Tim

From: Mark Thomas <markt@apache.org>
Sent: 22 June 2022 10:56
To: users@tomcat.apache.org
Subject: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict \
exe's from downloading

On 22/06/2022 10:37, bharath Kumar wrote:
> Hi team,
> 
> Any help on this ?
> 
> Further this exe(*abc.exe*) downloads when i hit on the url*
> http://server_name/abc.exe/ <http://server_name/abc.exe/> * and is
> happening only in *Tomcat *not with *IIS*.
> 
> 
> Tomcat :
> *http://<server_name:Port>/abc.exe* -- exe is not getting downloaded
> *http://<server_name:Port>/abc.exe/* -- exe is getting downloaded on
> the browser where we hit
> 
> 
> IIS:
> 
> *http://<server_name:Port>/abc.exe/ - No issue*
> *http://<server_name:Port>/abc.exe - **No issue*
> 
> 
> My Intention is not to download the abc.exe ... I have a CGI
> application(abc.exe) that opens up my application
> 
> 
> Below is my web.xml configuration:
> 
> <servlet-mapping>
> <servlet-name>abc</servlet-name>
> <url-pattern>/abc.exe</url-pattern>
> </servlet-mapping>

Change the mapping to /abc.exe/*

See section 12.2 of the Servlet specification for details.

Mark


> 
> 
> Can you please help how to stop downloading the CGI application(
> *http://<server_name:Port>/abc.exe/* ) from being downloading (I am trying
> to fix the CGI Vulnerability)
> 
> Thanks,
> Bharath
> 
> On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Thomas.Hoffmann@speed4trade.com.invalid<mailto:Thomas.Hoffmann@speed4trade.com.invalid>> \
> wrote: 
> > Hello,
> > 
> > maybe this stackoverflow page helps already:
> > 
> > https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-b \
> > ased-on-file-extension-via-whitelist<https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist>
> >  
> > Your snippet of the web.xml is just a configuration if an unknown servlet.
> > If the corresponding servlet is custom, you need to get in touch with the
> > developer.
> > 
> > Greetings,
> > Thomas
> > 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic