Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> André,
>
> On 9/29/2011 5:59 PM, André Warnier wrote:
>> Addendum : And then we're gonna make sure that the configuration
>> files of Tomcat are given appropriate permissions so that only
>> Tomcat and authorized users can browse said secret. End of
>> addendum.
>
> While that's a good idea in general,
That is how it was meant.
It just seemed to fit well with the general gist of this conversation.
it doesn't help prevent this
> attack unless there is a trusted insider.
>
> Setting the shared secret means that nobody entirely outside your
> environment can inject an AJP message into Tomcat. Read the bug report
> if you haven't already done so... it's quite a brilliant attack.
I'll do that then.
Trusted insider ? sounds intriguing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|