tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: [Bug 389] New - Security Issue? Important attributes exposed by ServletContext can be modified BugRat Report#682
Date Tue, 13 Mar 2001 01:01:17 GMT
The latest version of Tomcat 4.0 from CVS supports the Java SecurityManager.
Tomcat 4.0 Beta 1 did not.

The Java SecurityManager can restrict access to those properties and do a 
great deal more to assist you in running a secure application server.

I wouldn't consider what you reported as a bug now that the Java SecurityManager
has been implemented.

BTW, if you are attending ApacheCon 2001 Apr 4-6, I will be presenting a session on
"Tomcat Server and Application Security" that goes into great detail on
how the Java SecurityManager works and using it with Tomcat.

Regards,

Glenn

bugzilla@apache.org wrote:
> 
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=389
> 
> *** shadow/389  Mon Mar 12 13:27:37 2001
> --- shadow/389.tmp.1035 Mon Mar 12 13:27:37 2001
> ***************
> *** 0 ****
> --- 1,22 ----
> + +============================================================================+
> + | Security Issue? Important attributes exposed by ServletContext can be modi |
> + +----------------------------------------------------------------------------+
> + |        Bug #: 389                         Product: Tomcat 4                |
> + |       Status: UNCONFIRMED                 Version: 4.0 Beta 1              |
> + |   Resolution:                            Platform: All                     |
> + |     Severity: Normal                   OS/Version: All                     |
> + |     Priority: High                      Component: Catalina                |
> + +----------------------------------------------------------------------------+
> + |  Assigned To: craig.mcclanahan@eng.sun.com                                 |
> + |  Reported By: rmandava@talentportal.com                                    |
> + |      CC list: Cc:                                                          |
> + +----------------------------------------------------------------------------+
> + |          URL:                                                              |
> + +============================================================================+
> + |                              DESCRIPTION                                   |
> + Hi:
> +
> +   The attributes such as "org.apache.catalina.classloader", "org.apache.catalina.jsp_classpath"
are exposed through ServletContext and can be easily modified. No security violation is generated
and anybody with an application installed on the web server can modify these variables. Is
n't it a security problem for Tomcat?
> +
> + Thanks
> + -Ramesh
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org


Mime
View raw message