tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject Re: Tomcat Security Vulnerability
Date Mon, 09 Oct 2000 17:22:19 GMT
> cmanolache@yahoo.com writes:
> 
> > I'm all +1 for removing the shutdown option form mod_jserv or to remove
> > mod_jserv completely. 
> 
> mod_jserv is not the problem. It HAS security mechanisms (see
> ApJServSecretKey). It is the Tomcat interface to mod_jserv that is
> lacking in security features.

Then please send a patch that implements any security feature you
would like !

It's an open source project - most people work on this in their free time
and contribute whatever they feel they need. For me checking for
localhost is enough - and packet filtering is an extra. Adding a
"secret" key doesn't seem as a perfect solution either and adds
configuration and runtime overhead. 

It may be an excelent idea for ajp13, where the connection is reused ( and
a challenge/response solution can be implemented to initiate the
connection without sending the key for every request ).


Costin



Mime
View raw message