Remy Maucherat wrote: > Tim Funk wrote: > >> Would the following be vulnerable? >> 1) Use Jk only >> 2) do NOT use --> JkMount /servlet/* loadbalancer >> 3) But the invoker mapping is enabled >> >> Would they be vulnerable? I personally don't see a security flaw in >> this config. But does Jk also look for the text "jsessionid" being >> passed in the URL and automagically pass it along to tomcat? AFAIK - I >> thought a Rewrite rule needed to be added to have that behavior. > > > If you do end up passing any <context>/servlet/* URLs to Tomcat, then > you're safe. However, I would still edit conf/web.xml as explained in > the advisory to make sure there are no problems in the future.
Of course, this should read "If you do NOT end up" ;-) Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>