-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Amit,
On 9/7/2011 6:38 PM, Christopher Schultz wrote:
> I've been trying to determine if using an AJP "secret" will thwart
> this kind of attack. I suspect it will, but I can't get my TC to
> take a secret just now (see my post under separate cover).
Confirmed: setting a "secret" on your AJP connection will prevent
these types attack messages from being processed by Tomcat.
See the CVE announcement which includes this technique as a mitigatory
action:
http://markmail.org/message/w5ya5e2xv5xaw3zd
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5o3M8ACgkQ9CaO5/Lv0PBmHQCfdQGi2QG3wBQkOnqeere8mbye
iycAoLQgrYli6WDNICoB6I/scvqeYpHH
=a1RF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|