tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 20:13:23 GMT

On 9/8/2011 11:47 AM, Mark Thomas wrote:
> On 08/09/2011 16:13, Christopher Schultz wrote:
>> All,
>> Mark's official report to the users' list indicates that setting a 
>> "secret" for the AJP connection does the trick. (I tried this
>> myself before digging-up his message and can confirm that the
>> sample code fails when a "secret" is set).
>> Should we mention this on the Security page directly for those who 
>> didn't read the announcement on the users' list?
> No reason why not. Go for it.

Okay. Any idea if mod_proxy_ajp supports the shared secret? The
documentation is so light on actually using mod_proxy_ajp that it might
be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
completely undocumented in the httpd documentation.

This is all I could find:


View raw message