tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 21:26:25 GMT
2013/4/12 Christopher Schultz <>:
>> The attacker installed a viral servlet application that killed the
>> server completely, we had to rebuild it.
> I -- like most people I would guess -- don't run under a
> SecurityManager, but doing so can significantly limit the damage that
> a rogue webapp can do.

If you do not trust your applications then it is recommended to run
with <Host deployXML="false">.

I think there are not enough checks in place to avoid abuse if webapp
is able to provide its own context.xml file, even if you run with a

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message