-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Amit,
On 9/7/2011 6:38 PM, Christopher Schultz wrote: > I've been trying to determine if using an AJP "secret" will thwart > this kind of attack. I suspect it will, but I can't get my TC to > take a secret just now (see my post under separate cover). Confirmed: setting a "secret" on your AJP connection will prevent these types attack messages from being processed by Tomcat. See the CVE announcement which includes this technique as a mitigatory action: http://markmail.org/message/w5ya5e2xv5xaw3zd - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5o3M8ACgkQ9CaO5/Lv0PBmHQCfdQGi2QG3wBQkOnqeere8mbye iycAoLQgrYli6WDNICoB6I/scvqeYpHH =a1RF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
