tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 15:13:34 GMT
All,
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Mark's official report to the users' list indicates that setting a
"secret" for the AJP connection does the trick. (I tried this myself
before digging-up his message and can confirm that the sample code fails
when a "secret" is set).

Should we mention this on the Security page directly for those who
didn't read the announcement on the users' list?

Thanks,
-chris


Mime
View raw message