tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Shevland" <shevla...@kpi.com.au>
Subject RE: Tomcat Security Vulnerability
Date Thu, 05 Oct 2000 21:40:27 GMT
I just managed to telnet <hostname> 8007 from a remote machine on the internal network...
I've had some prob's checking localhost in the past, this is how I do it ATM:

if ( socket.getInetAddress().getHostAddress() != "127.0.0.1" ) {
	System.err.println("Cannot service client request: "+socket.getInetAddress().getHostAddress());
	out.println("Cannot service request from "+socket.getInetAddress().getHostAddress());
	out.flush();
	try { socket.close(); } catch ( IOException ignored ) {}
	return;
}

Cheers,
Joe

> -----Original Message-----
> From: cmanolache@yahoo.com [mailto:cmanolache@yahoo.com]
> Sent: Friday, October 06, 2000 8:30 AM
> To: 'tomcat-dev@jakarta.apache.org'
> Cc: tomcat-user@jakarta.apache.org
> Subject: Re: Tomcat Security Vulnerability
> 
> 
> Hi,
> 
> AFAIK there is a check on Ajp12 to verify if the host sending the stop
> request is the same as localhost - that means someone from outside
> shuldn't be able to stop tomcat. IF this is not true - then there is a
> problem in isSameAddress().
> 


Mime
View raw message