Tuesday, October 4, 2011

Seam 3.1.0.Beta3 Release

Seam 3.1.0.Beta3 has been tagged, and the artifacts have been released on the JBoss Nexus repository. Please report any bugs or problems to the Seam Forums.

Sunday, October 2, 2011

Prevent .DS_Store file access on Tomcat 6

The .DS_Store file is a Mac OS X file which provides information about folder content. This file will be created by the Mac OS X Finder. Attacker can obtain sensitive information about your system if this file is accessible via your Tomcat web server. To solve this security vulnerability go to your server.xml and add the following line:
<Context path=".DS_Store" docBase="">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="*" />
</Context>
So the full host configuration should be looking similiar to this:
<Host appBase="webapps" autoDeploy="false" name="localhost" unpackWARs="false" xmlNamespaceAware="false" xmlValidation="false">
    <Context path=".DS_Store" docBase="">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="*" />
    </Context>
</Host>
Now restart the Tomcat Server, place a ".DS_Store" file into your application and try to download it. You should receive a http status 404.

Saturday, October 1, 2011