tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 21:26:25 GMT
2013/4/12 Christopher Schultz <chris@christopherschultz.net>:
>
>> The attacker installed a viral servlet application that killed the
>> server completely, we had to rebuild it.
>
> I -- like most people I would guess -- don't run under a
> SecurityManager, but doing so can significantly limit the damage that
> a rogue webapp can do.
>

If you do not trust your applications then it is recommended to run
with <Host deployXML="false">.

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Host


I think there are not enough checks in place to avoid abuse if webapp
is able to provide its own context.xml file, even if you run with a
SecurityManager.


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message