tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 20:13:23 GMT
Mark,

On 9/8/2011 11:47 AM, Mark Thomas wrote:
> On 08/09/2011 16:13, Christopher Schultz wrote:
>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>
>> Mark's official report to the users' list indicates that setting a 
>> "secret" for the AJP connection does the trick. (I tried this
>> myself before digging-up his message and can confirm that the
>> sample code fails when a "secret" is set).
>>
>> Should we mention this on the Security page directly for those who 
>> didn't read the announcement on the users' list?
> 
> No reason why not. Go for it.

Okay. Any idea if mod_proxy_ajp supports the shared secret? The
documentation is so light on actually using mod_proxy_ajp that it might
be supported ("ProxyPass /foo ajp://bar secret=changeit"?) but
completely undocumented in the httpd documentation.

This is all I could find:

http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBcQFjAA&url=http%3A%2F%2Fwww.gossamer-threads.com%2Flists%2Fapache%2Fdev%2F332363&rct=j&q=mod_proxy_ajp%20secret&ei=fCFpTtWRAuPL0QGUo-CDDA&usg=AFQjCNHOT2d5i5zlmL06G4eoMG5skYTkVw&cad=rja

Thanks,
-chris


Mime
View raw message