There is a serious security issue in our product which runs on apache tomcat server listening on ports 80 and 443. The routing of incoming HTTP/HTTPS packets on these ports is configured by our product classes, which fails to ensure that each requested URL refers to a file that is both located within the web root of the server and is of a type that is allowed to be served.
In particular, packets that match '/error/*' in the url are configured to use the 'docroot' folder as the document root for serving files. And so paths which traverse out of the /error/ (i.e docroot) directory using URL encoded backslashes %5C
can also be accessed and downloaded. For example a remote user can give an url like –
https://MyDomain/error/..%5c..%5csettings.properties
to access the remote file settings.properties that is on the same level as docroot. We are trying to overcome this through firewall rules and network segmentation. But is there a setting in tomcat that can be used to prevent remote users from accessing files outside the project root folder. That would be very useful.
If you want to restrict direct URL access to some files, put them under WEB-INF directory.
Quote from here (note: the below URL is currently unavalable):
http://www.servletworld.com/servlet-tutorials/web-application-directory-structure.html
Root directory contains a directory named WEB-INF. Anything under the root directory excepting the WEB-INF directory is publicly available, and can be accessed by URL from browser.
WEB-INF directory is a private area of the web application, any files under WEB-INF directory cannot be accessed directly from browser by specifying the URL like
http://somesite/WEB-INF/someresource.html
. Web container will not serve the content of this directory. However the content of the WEB-INF directory is accessible by the classes within the application. So if there are any resources like JSPs or HTML document that you don’t wish to be accessible directly from web browser, you should place it under WEB-INF directory.