tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stuart Maclean <stu...@its.washington.edu>
Subject Re: Tomcat Security Vulnerability
Date Thu, 05 Oct 2000 21:35:36 GMT
Yep, this is right, 3.2beta4 DOES check that the 'signal' comes from a
process on same host as Tomcat is running on.  This isn't the case in
3.1 however, my killer program certainly hoses those.

Patch wise, i just commented out the "System.exit()" line.  Trying to
kill Tomcat nows results in an exception stack trace in Tomcat, but at
least it survives the attack...

stu


-- 
Stuart Maclean, Research Associate
University of Washington
ITS Research Program, College of Engineering
Box 352500
Seattle, WA 98195-2500
Tel: (206) 543-0637
http://www.its.washington.edu



Mime
View raw message