-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter,
Peter Crowther wrote: | That's a nice little JSP - once it's on the system, the attacker can | do anything they like that's allowed by the outbound firewall, with | the privilege of the user running Tomcat. Yeah, pretty much. This is one of the reasons that I set up my software firewalls to restrict /outgoing/ traffic from production systems just as much as restricting incoming traffic. If I don't need outgoing HTTP, FTP, IRC, or any of those other oft-used attack vectors from within a semi-compromised box, then I disable traffic over those ports. Better yet, disable everything and explicitly enable anything you actually need. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkidBmkACgkQ9CaO5/Lv0PCUrQCghanJGlD4doOFAL8S9U5AQBUj rZsAn0lgxlKrubcZFUuL0x81gF5TdaX9 =PGdI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
