tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregor Schneider <rc4...@googlemail.com>
Subject Re: redirection
Date Wed, 01 Apr 2009 15:31:34 GMT
Peter,

On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther
<Peter.Crowther@melandra.com> wrote:

> And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities
than just Tomcat.
>
> I'd also be very interested to see the evidence (either way) on that.
>
See, I believe in the statement that the more components you're adding
to an environment, the more possibilities there are for a
security-hole. However, to believe is not to know...

However, when I check full-disclosure and other security-lists, I see
few issues referring to Tomcat, but I see quite some issues referring
to HTTPD and it's modules.

I guess if you're once able to break HTTPD and found your way into the
box, harm is on it's way. I further /believe/ that from this point it
makes sense to use as few components as possible.

Anyhow, that's what I believe, not what I know.

Cheers

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message