tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Apache Tomcat 5.5.34 Question (UNCLASSIFIED)
Date Fri, 30 Sep 2011 20:30:29 GMT
Christopher Schultz wrote:
> Hash: SHA1
> André,
> On 9/29/2011 5:59 PM, André Warnier wrote:
>> Addendum : And then we're gonna make sure that the configuration
>> files of Tomcat are given appropriate permissions so that only
>> Tomcat and authorized users can browse said secret. End of
>> addendum.
> While that's a good idea in general, 

That is how it was meant.
It just seemed to fit well with the general gist of this conversation.

it doesn't help prevent this
> attack unless there is a trusted insider.
> Setting the shared secret means that nobody entirely outside your
> environment can inject an AJP message into Tomcat. Read the bug report
> if you haven't already done so... it's quite a brilliant attack.

I'll do that then.
Trusted insider ? sounds intriguing.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message