On Mon, Oct 7, 2019 at 11:00 AM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and I > briefly discussed the "sharp edges" present in Tomcat. Some of them > are unnecessarily sharp and may be actually unnecessary. I'm going to > make a few proposals to remove functions from Tomcat. > > Proposal: Remove CGI Servlet > +1 > > Justification: > > The CGIServlet is another component, like server-side-includes, which > is a remote-code execution (RCE) vulnerability as a feature. It is > very easy to misconfigure. It is arguably not possible to secure it on > Windows[2]. There are better solutions if you want to run Perl, > Python, PHP, or whatever on your server in the form of the many fine > web-server products out there. > I thought this was a really weird feature for Tomcat to provide anyway :) > > - -chris > > > [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc > at > [2] > https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23 > /everyone-quotes-command-line-arguments-the-wrong-way/ > <https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/> > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bUusACgkQHPApP6U8 > pFhGxw//V8a5sALHVJAGDuhYf3HJs+MyDkHI848BOW8U5JjSOC9erQg84xxOm11q > ywHqmdJ1HkVCTlN6n+OMne4/DVtAywqetF6hVf3TdGvA/Xp2HGiz4H9FeBgD5oVS > WgZqrShBk5xneElWkBH69yG7qC2XKhCZNtA8bNqMdUQ+zOW2Gwhk8k35r//jWivX > ZkXloVRs2aQaArtqwIi0kWWMMbIEL6JJJigAfjfpap8HvTrLL/W5/dTpYUp1Y1Ms > qGhv0CcbDSFmQqPEnZO0keaUJRi5QXsW7ByMnXjterr1ExEW8ZfHM7ZOAap/7VWz > O2TFeq59YSG2KOrueDpzZk1u1l0G5vT9ttyoGtGJQlFt6TnxA0+4EouciFoVtPM8 > mrAEHkp9MSHIVGjTj6qanNnEkue3Bnyv5TQq2m5MX6mYCkyGUhZpdaIfK2aw6M2Y > uJ4h8Qf1hX0s3/nfyF3ERTKnsB2aYcVORjcfLaEajJwbUAXRG4kLKqOszMsLKV3S > FC/rzp1f7MSKf4nN9WVIQvxUZhxP70SjBSTtRN3UXZvrZvCiq/BaK0/inyYTKOIc > 1QOjbfoZnI3Kcm8zKKODJRebpsrsF+f7EWwuEg07lAmgAxQGsdciss23rt6OALf0 > Dhr5Lb6mcMktmy4JLIKwbM9Hbk3IslbQlEWQEOSiagzph/ZMVP8= > =28Zt > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >