security

Circumvention of Opera's Upload Field Path Protection

by Matthias Reuter on Sun, 12/20/2009 - 23:40

If you have a form with a file upload field, in some browsers you cannot extract the path to the chosen file. This is meant as a security measure, because it might reveal some information about the user, e.g. the username.

In earlier versions of Opera, if you tried to read the upload field's value, only the file name was given:

var uploadField = document.getElementById("upload");

var path = uploadField.value; // was "foo.jpg"

In the recent version, Opera for some reason reveals a full path, but it's a fake path:

var uploadFIeld = document.getElementById("upload");

var path = uploadField.value; // now "C:\fake_path\foo.jpg"

Read more

How to access the manager servlet of Apache Tomcat

by Phillip Steffensen on Sat, 04/18/2009 - 11:37

If you set up a brand new tomcat with the default configuration, you are unable to access the manager servlet. All requests on http://[YourHost]:[TomcatPort]/manager/html are responded by a HTTP Status 403 ("Access to the requested resource has been denied"). If you use your tomcat for a productive system the manager servlet should always be deactivated. The tomcat's default configuration hides the manager servlet for some security reasons. If you want to access the manager servlet you should add some lines to your tomcat-users.xml at $CATALINA_HOME/conf/tomcat-users.xml and restart your tomcat.

The default content of tomcat-users.xml is:

<?xml version='1.0' encoding='utf-8'>
<tomcat-users>
    <role rolename="tomcat" />
    <role rolename="role1" />
    <role rolename="admin" />
    <user username="tomcat" password="tomcat" roles="tomcat" />
    <user username="role1" password="tomcat" roles="role1" />
    <user username="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

To make the manager servlet reachable you should modify your tomcat-users.xml like that:

Read more