!C99Shell v. 1.0 pre-release build #13!

Software: Apache. PHP/5.5.15 

uname -a: Windows NT SVR-DMZ 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586 

SYSTEM 

Safe-mode: OFF (not secure)

C:\dmz\tomcat\webapps\docs\   drwxrwxrwx
Free 4.08 GB of 39.52 GB (10.32%)
Detected drives: [ a ] [ c ] [ d ] [ e ] [ f ]
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     default-servlet.html (21.8 KB)      -rw-rw-rw-
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
Apache Tomcat 7 (7.0.42) - Default Servlet Reference

      The Apache Tomcat Servlet/JSP Container

Apache Tomcat 7

Version 7.0.42, Jul 2 2013
Apache Logo

Links

User Guide

Reference

Apache Tomcat Development

Default Servlet Reference

Table of Contents
What is the DefaultServlet
The default servlet is the servlet which serves static resources as well as serves the directory listings (if directory listings are enabled).
Where is it declared?
It is declared globally in $CATALINA_BASE/conf/web.xml. By default here is it's declaration:
    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>
          org.apache.catalina.servlets.DefaultServlet
        </servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

...

    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

So by default, the default servlet is loaded at webapp startup and directory listings are disabled and debugging is turned off.
What can I change?
The DefaultServlet allows the following initParamters:
debug Debugging level. It is not very useful unless you are a tomcat developer. As of this writing, useful values are 0, 1, 11, 1000. [0]
listings If no welcome file is present, can a directory listing be shown? value may be true or false [false]
Welcome files are part of the servlet api.
WARNING: Listings of directories containing many entries are expensive. Multiple requests for large directory listings can consume significant proportions of server resources.
readmeFile If a directory listing is presented, a readme file may also be presented with the listing. This file is inserted as is so it may contain HTML.
globalXsltFile If you wish to customize your directory listing, you can use an XSL transformation. This value is an absolute file name which be used for all directory listings. This can be overridden per context and/or per directory. See contextXsltFile and localXsltFile below. The format of the xml is shown below.
contextXsltFile You may also customize your directory listing by context by configuring contextXsltFile. This should be a context relative path (e.g.: /path/to/context.xslt). This overrides globalXsltFile. If this value is present but a file does not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default directory listing will be shown.
localXsltFile You may also customize your directory listing by directory by configuring localXsltFile. This should be a relative file name in the directory where the listing will take place. This overrides globalXsltFile and contextXsltFile. If this value is present but a file does not exist, then contextXsltFile will be used. If contextXsltFile does not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default directory listing will be shown.
input Input buffer size (in bytes) when reading resources to be served. [2048]
output Output buffer size (in bytes) when writing resources to be served. [2048]
readonly Is this context "read only", so HTTP commands like PUT and DELETE are rejected? [true]
fileEncoding File encoding to be used when reading static resources. [platform default]
sendfileSize If the connector used supports sendfile, this represents the minimal file size in KB for which sendfile will be used. Use a negative value to always disable sendfile. [48]
useAcceptRanges If true, the Accept-Ranges header will be set when appropriate for the response. [true]
How do I customize directory listings?

You can override DefaultServlet with you own implementation and use that in your web.xml declaration. If you can understand what was just said, we will assume you can read the code to DefaultServlet servlet and make the appropriate adjustments. (If not, then that method isn't for you)

You can use either localXsltFile or globalXsltFile and DefaultServlet will create an xml document and run it through an xsl transformation based on the values provided in localXsltFile and globalXsltFile. localXsltFile is first checked, followed by globalXsltFile, then default behaviors takes place.

Format:

    <listing>
     <entries>
      <entry type='file|dir' urlPath='aPath' size='###' date='gmt date'>
        fileName1
      </entry>
      <entry type='file|dir' urlPath='aPath' size='###' date='gmt date'>
        fileName2
      </entry>
      ...
     </entries>
     <readme></readme>
    </listing>
  • size will be missing if type='dir'
  • Readme is a CDATA entry

The following is a sample xsl file which mimics the default tomcat behavior:
<?xml version="1.0"?>

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  version="1.0">

  <xsl:output method="xhtml" encoding="iso-8859-1" indent="no"/>

  <xsl:template match="listing">
   <html>
    <head>
      <title>
        Sample Directory Listing For
        <xsl:value-of select="@directory"/>
      </title>
      <style>
        h1{color : white;background-color : #0086b2;}
        h3{color : white;background-color : #0086b2;}
        body{font-family : sans-serif,Arial,Tahoma;
             color : black;background-color : white;}
        b{color : white;background-color : #0086b2;}
        a{color : black;} HR{color : #0086b2;}
      </style>
    </head>
    <body>
      <h1>Sample Directory Listing For
            <xsl:value-of select="@directory"/>
      </h1>
      <hr size="1" />
      <table cellspacing="0"
                  width="100%"
            cellpadding="5"
                  align="center">
        <tr>
          <th align="left">Filename</th>
          <th align="center">Size</th>
          <th align="right">Last Modified</th>
        </tr>
        <xsl:apply-templates select="entries"/>
        </table>
      <xsl:apply-templates select="readme"/>
      <hr size="1" />
      <h3>Apache Tomcat/7.0</h3>
    </body>
   </html>
  </xsl:template>


  <xsl:template match="entries">
    <xsl:apply-templates select="entry"/>
  </xsl:template>

  <xsl:template match="readme">
    <hr size="1" />
    <pre><xsl:apply-templates/></pre>
  </xsl:template>

  <xsl:template match="entry">
    <tr>
      <td align="left">
        <xsl:variable name="urlPath" select="@urlPath"/>
        <a href="{$urlPath}">
          <tt><xsl:apply-templates/></tt>
        </a>
      </td>
      <td align="right">
        <tt><xsl:value-of select="@size"/></tt>
      </td>
      <td align="right">
        <tt><xsl:value-of select="@date"/></tt>
      </td>
    </tr>
  </xsl:template>

</xsl:stylesheet>
How do I secure directory listings?
Use web.xml in each individual webapp. See the security section of the Servlet specification.
Comments

Notice: This comments section collects your suggestions on improving documentation for Apache Tomcat.

If you have trouble and need help, read Find Help page and ask your question on the tomcat-users mailing list. Do not ask such questions here. This is not a Q&A section.

The Apache Comments System is explained here. Comments may be removed by our moderators if they are either implemented or considered invalid/off-topic.


Copyright © 1999-2013, Apache Software Foundation

:: Command execute ::

Enter:
 
Select:
 

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c99shell v. 1.0 pre-release build #13 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.1092 ]--