tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Mitigating AJP CPing/Forward-Request packet forgery before next releases
Date Thu, 08 Sep 2011 21:32:22 GMT
On 08/09/2011 21:13, Christopher Schultz wrote:
> Mark,
> 
> On 9/8/2011 11:47 AM, Mark Thomas wrote:
>> On 08/09/2011 16:13, Christopher Schultz wrote:
>>> All, https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
>>> 
>>> Mark's official report to the users' list indicates that
>>> setting a "secret" for the AJP connection does the trick. (I
>>> tried this myself before digging-up his message and can confirm
>>> that the sample code fails when a "secret" is set).
>>> 
>>> Should we mention this on the Security page directly for those
>>> who didn't read the announcement on the users' list?
>> 
>> No reason why not. Go for it.
> 
> Okay. Any idea if mod_proxy_ajp supports the shared secret?

No idea at all off the top of my head. I'd be surprised if it didn't
since the mod_proxy_ajp code started with the mod_jk code.

> The documentation is so light on actually using mod_proxy_ajp that
> it might be supported ("ProxyPass /foo ajp://bar secret=changeit"?)
> but completely undocumented in the httpd documentation.
> 
> This is all I could find:
> 
> http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBcQFjAA&url=http%3A%2F%2Fwww.gossamer-threads.com%2Flists%2Fapache%2Fdev%2F332363&rct=j&q=mod_proxy_ajp%20secret&ei=fCFpTtWRAuPL0QGUo-CDDA&usg=AFQjCNHOT2d5i5zlmL06G4eoMG5skYTkVw&cad=rja

What
> 
is wrong with looking at the source code? I'm no c programmer but
it looks like the necessary code is in place. Probably quicker to just
try it to confirm it.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message