Security, Tomcat, Apache, & Windows
Posted on 2001-07-26
My company is running a jsp site on IIS 5 with windows 2000, and all of
the security patches.
We discovered that if we use tomcat or jrun 2.3.3 with IIS that that
we have to set up the tomcat ( or jrun ) directories as virtual directories
___with execute permissions turned on__.
This got us hacked into.
I don't understand how. It has something to do with how IIS handles
malformed urls leaving IIS open to attacks if directories associated with
a web site have execute permissions granted.
Does Apache have a similar vulnerability?
Does Apache have jsp/servlet capabilities built in or does it need to be
hooked up to tomcat?
Will Apache run on windows 2000?
To run JSP/Servlets do any directories associated with the apache web
server need to have execute permissions opened up. Is it a security risk?
Thanks in advance