Martin van den Bemt at [EMAIL PROTECTED] wrote:
>>
>> It takes 5 minutes to write an AJP client that hacks into Tomcat.
>
> I guess that only works when the ports are bot blocked by a firewall and eg
> the address="127.0.0.1" is not added to the server.xml ?
No, it won't. Anyway as many are using the Web Server modules to have Apache
and Tomcat running on different machines (or load balancing), it's not an
issue that can be lightly "discarded"...
> Not everyone was around by then... And when growing up with MS, not a lot of
> people are made aware of security issues, since it has nice ui to let you
> handle everything.. (this was sarcasme btw..).. Hope people are alarmed by
> the code red thing in IIS though that their systems are far from secure.
If you weren't around in '98, well, not much I can do, and if you grew up
with MS that's a point that doesn't plays at your advantage when talking
about security. That's why it is so important to _know_ exactly what goes on
on the systems before talking about security...
And it's important to stress out this factor on this very mailing list. No
system is secure _ever_, at least let's try not to give the wrong
information to our users. IMO, on security, is better not-to-answer to a
question, rather than answering it in a wrong way.
> Didn't read it completely but I read the security section and it's a nice
> overview of what can go wrong.. The problem is that not much companies have
> the knowledge and willing to pay someone to prevent a lot of stuff from
> happening. (how good is eg unix security when you run sendmail?) (I use djb
> stuff btw)..
Well, that's why we wrote it back then in JServ days.
> Maby a nice security advisory should be made (just a couple of links for those
> issues you mentioned in your paper and some extra tips) and make that document
> highly noticeable..
I'm not involved in any way with the 3.x development, I was over in XML land
taking care of other stuff. I got back to go on with the effort that was
JServ 2.0 (later on renamed Catalina, and shipped as the servlet container
of Tomcat 4.0). And in 4.0's documentation there will be a long digression
about security, don't worry.
> You can stop crying (quoting you..) then and say that everything was done to
> say to the user : do something about security.. If they don't do it anyway :
> too bad for them..
I won't stop crying. I'm almost sure I'm right. And I am doing about
security: I'm crying out loud "DON'T RUN ANYTHING AS ROOT ON YOUR SERVER".
Pier
