tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Apache Tomcat 5.5.34 Question (UNCLASSIFIED)
Date Fri, 30 Sep 2011 20:30:29 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> André,
> 
> On 9/29/2011 5:59 PM, André Warnier wrote:
>> Addendum : And then we're gonna make sure that the configuration
>> files of Tomcat are given appropriate permissions so that only
>> Tomcat and authorized users can browse said secret. End of
>> addendum.
> 
> While that's a good idea in general, 

That is how it was meant.
It just seemed to fit well with the general gist of this conversation.

it doesn't help prevent this
> attack unless there is a trusted insider.
> 
> Setting the shared secret means that nobody entirely outside your
> environment can inject an AJP message into Tomcat. Read the bug report
> if you haven't already done so... it's quite a brilliant attack.

I'll do that then.
Trusted insider ? sounds intriguing.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message