All,
I'm working on documenting ajp13, and I'm noticing that there doesn't seem to be any
authentication step between the web server and the servlet container (in contrast to
ajp11 and ajp12, both of which I believe had some sort of shared secret-based
authenication step when opening up a TCP connection).
Can anyone comment on this? Was this a deliberate choice? I've done some searching
through the mailing list archives with no great success.
The scenario I'm imagining is:
- Administrator sets up Apache, mod_jk and Tomcat (on the same machine, say). By
default, mod_jk and Tomcat communicate over port 8008 (I think). Because the admin
doesn't know any better (and because the docs don't specify this), they don't set up
their firewall to block traffic to that port.
- Attacker can then open up connections directly to Tomcat, pretending to be Apache,
and can specify such things as 'remote_user', which, for some web apps, would convince
Tomcat that Apache had successfully authenticated the user.
What do you all think?
-Dan
--
Dan Milstein // [EMAIL PROTECTED]
