tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlos Gaston Alvarez" <gast...@tournet.com.ar>
Subject Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Date Fri, 24 Aug 2001 19:10:34 GMT
Just a security issue.
Confirm that you are not listening only the necessary characters to know
that it doesnt match, that you are listening more. Because if you stop it
just when you know it will not match a hacker can easyly guest with is the
password. You should have a (big) min to listen before stopping it.
Sorry is this mail is useless (most probably), just a thought.

Chau,

Gaston


----- Original Message -----
From: "Pier P. Fumagalli" <pier@betaversion.org>
To: <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, August 21, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java


> Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> >> craigmcc    01/08/21 11:51:52
> >>
> >>   Modified:    catalina/src/share/org/apache/catalina/core
> >>                         StandardServer.java
> >>   Log:
> >>   Fix for a DoS attack against the shutdown port, that could cause an
"out
> >>   of memory" exception by sending a continuous stream of characters.
Now,
> >>   Tomcat will only listen for enough characters to match or not-match
the
> >>   required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
>
> Good point... :(
>
>     Pier
>


Mime
View raw message