Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
On Wed, 16 Apr 2003, Jason McIntosh wrote:
> Ok, it looks like I've found what's going on. It seems the new Tomcat
> system does not seem to follow symbolic links. As the WEB-INF/classes
> was symlinked to ../../src, Tomcat couldn't find the source files and
> bombed out.
[snip]
> And I can understand maybe why they did so, such as security issues,
> but at least you'd think someone would have seen it before hand.
OK, so I'm just a bit curious about how this policy is supposed to have a
big effect on security. It would seem to me that to get the symlink there
in the first place, you're going to need write permission in the
particular directory, and if the bad guys have that, you're toast.
Similarly, the bad guys are going to have to have write access to the
directory containing the linked-to stuff, and it's the same story. If J.
Random has access to your system, I'm not sure why exploiting symlinks
would be the preferred method. So what am I missing?
jking
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact