2013/4/12 Christopher Schultz <ch...@christopherschultz.net>: > >> The attacker installed a viral servlet application that killed the >> server completely, we had to rebuild it. > > I -- like most people I would guess -- don't run under a > SecurityManager, but doing so can significantly limit the damage that > a rogue webapp can do. >
If you do not trust your applications then it is recommended to run with <Host deployXML="false">. http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Host I think there are not enough checks in place to avoid abuse if webapp is able to provide its own context.xml file, even if you run with a SecurityManager. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
