yes...this is what I was told...thanks all for the info On Thu, Feb 18, 2010 at 9:52 AM, André Warnier <a...@ice-sa.com> wrote:
> Curtis Garman wrote: > >> Is this something new for tomcat 6?...I was told there was a security >> vulnerability there with tomcat 5 >> > > Yes. At some point in time inversion 5.0 or 5.5 or 6.0, someone realised > that if this "shutdown port" allowed connections from anywhere, there was a > theoretical possibility that some miscreant, if he also knew the shutdown > "password string" (the one indicated by the "shutdown" attribute), might > send it just to be a pain and annoy everyone by shutting down Tomcat. > That was when it was decided to only allow connections from localhost on > that port, to restrict the attack surface. > Of course, as long as they do not know this shutdown string (because you > have changed it from the default), they cannot use this anyway. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Curtis Garman Web Programmer Heartland Community College