Java D Guy wrote:However, a hacker will use WEB-INF./web.xml to see my web.xml.
This is problem with tomcat as it seems. right?
Yong C Lin wrote:This is the note from a third party compliance company:
(port 8080) Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : By making a specially-formatted request to the remote web server, it is possible to retrieve files located under the 'WEB-INF' directory. Note that this vulnerability is known to affect the Win32 versions of multiple J2EE servlet containers / application servers.
I googled it and found no mentioning of this. But it actually happens. I am only using tomcat, no iis.
Thanks,
Yong
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.