On 18/02/2010 23:08, Curtis Garman wrote:
yes...this is what I was told... thanks all for the info
To be clear: Mark's answer is the correct one.
p
On Thu, Feb 18, 2010 at 9:52 AM, André Warnier<a...@ice-sa.com> wrote:
Curtis Garman wrote:
Is this something new for tomcat 6?...I was told there was a security
vulnerability there with tomcat 5
Yes. At some point in time inversion 5.0 or 5.5 or 6.0, someone realised
that if this "shutdown port" allowed connections from anywhere, there was a
theoretical possibility that some miscreant, if he also knew the shutdown
"password string" (the one indicated by the "shutdown" attribute), might
send it just to be a pain and annoy everyone by shutting down Tomcat.
That was when it was decided to only allow connections from localhost on
that port, to restrict the attack surface.
Of course, as long as they do not know this shutdown string (because you
have changed it from the default), they cannot use this anyway.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
