> -----Original Message-----
> From: Pier P. Fumagalli [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 3:41 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Why and How Tomcat before Apache?
>
>
> Martin van den Bemt at [EMAIL PROTECTED] wrote:
>
> >>> down your server or delete your webapp or other data. You don't solve
> >>> that problem with running as a seperate user..
> >>
> >> Tomcats ports are not visible from the outside. Only access is through
> >> apache - ie mod_jk ...
> >
> > do a telnet to your port 8007 or 8009 and you'll see what I mean..
>
> It takes 5 minutes to write an AJP client that hacks into Tomcat.
I guess that only works when the ports are bot blocked by a firewall and eg
the address="127.0.0.1" is not added to the server.xml ?
> We started
> saying this in 1998, when we released Apache JServ 1.0 and I cry
> to see that
> still today people do not think about it... (BTW, in AJP version following
> the original, the authentication mechanism was disabled because of
> performance issues - and because I wasn't there when they "designed"
those)
Not everyone was around by then... And when growing up with MS, not a lot of
people are made aware of security issues, since it has nice ui to let you
handle everything.. (this was sarcasme btw..).. Hope people are alarmed by
the code red thing in IIS though that their systems are far from secure.
> Check out <http://www.apache.org/~stefano/papers/> in the 1998 section.
> (Both of them are quite nice readings, or at least I hope it will be as
nice as it was writing them)
Didn't read it completely but I read the security section and it's a nice
overview of what can go wrong.. The problem is that not much companies have
the knowledge and willing to pay someone to prevent a lot of stuff from
happening. (how good is eg unix security when you run sendmail?) (I use djb
stuff btw).. Maby a nice security advisory should be made (just a couple of
links for those issues you mentioned in your paper and some extra tips) and
make that document highly noticeable.. You can stop crying (quoting you..)
then and say that everything was done to say to the user : do something
about security.. If they don't do it anyway : too bad for them..
Mvgr,
Martin
