Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 9/29/2011 5:59 PM, André Warnier wrote:
Addendum : And then we're gonna make sure that the configuration
files of Tomcat are given appropriate permissions so that only
Tomcat and authorized users can browse said secret. End of
addendum.
While that's a good idea in general,
That is how it was meant.
It just seemed to fit well with the general gist of this conversation.
it doesn't help prevent this
attack unless there is a trusted insider.
Setting the shared secret means that nobody entirely outside your
environment can inject an AJP message into Tomcat. Read the bug report
if you haven't already done so... it's quite a brilliant attack.
I'll do that then.
Trusted insider ? sounds intriguing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
