tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stuart Maclean <>
Subject Re: Tomcat Security Vulnerability
Date Thu, 05 Oct 2000 21:35:36 GMT
Yep, this is right, 3.2beta4 DOES check that the 'signal' comes from a
process on same host as Tomcat is running on.  This isn't the case in
3.1 however, my killer program certainly hoses those.

Patch wise, i just commented out the "System.exit()" line.  Trying to
kill Tomcat nows results in an exception stack trace in Tomcat, but at
least it survives the attack...


Stuart Maclean, Research Associate
University of Washington
ITS Research Program, College of Engineering
Box 352500
Seattle, WA 98195-2500
Tel: (206) 543-0637

View raw message