Re: [Bug 389] New - Security Issue? Important attributes exposed by ServletContext can be modified BugRat Report#682

Glenn Nielsen Mon, 12 Mar 2001 16:44:06 -0800
The latest version of Tomcat 4.0 from CVS supports the Java SecurityManager.
Tomcat 4.0 Beta 1 did not.

The Java SecurityManager can restrict access to those properties and do a 
great deal more to assist you in running a secure application server.

I wouldn't consider what you reported as a bug now that the Java SecurityManager
has been implemented.

BTW, if you are attending ApacheCon 2001 Apr 4-6, I will be presenting a session on
"Tomcat Server and Application Security" that goes into great detail on
how the Java SecurityManager works and using it with Tomcat.

Regards,

Glenn

[EMAIL PROTECTED] wrote:
> 
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=389
> 
> *** shadow/389  Mon Mar 12 13:27:37 2001
> --- shadow/389.tmp.1035 Mon Mar 12 13:27:37 2001
> ***************
> *** 0 ****
> --- 1,22 ----
> + +============================================================================+
> + | Security Issue? Important attributes exposed by ServletContext can be modi |
> + +----------------------------------------------------------------------------+
> + |        Bug #: 389                         Product: Tomcat 4                |
> + |       Status: UNCONFIRMED                 Version: 4.0 Beta 1              |
> + |   Resolution:                            Platform: All                     |
> + |     Severity: Normal                   OS/Version: All                     |
> + |     Priority: High                      Component: Catalina                |
> + +----------------------------------------------------------------------------+
> + |  Assigned To: [EMAIL PROTECTED]                                 |
> + |  Reported By: [EMAIL PROTECTED]                                    |
> + |      CC list: Cc:                                                          |
> + +----------------------------------------------------------------------------+
> + |          URL:                                                              |
> + +============================================================================+
> + |                              DESCRIPTION                                   |
> + Hi:
> +
> +   The attributes such as "org.apache.catalina.classloader", 
>"org.apache.catalina.jsp_classpath" are exposed through ServletContext and can be 
>easily modified. No security violation is generated and anybody with an application 
>installed on the web server can modify these variables. Is n't it a security problem 
>for Tomcat?
> +
> + Thanks
> + -Ramesh
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]

-- 
----------------------------------------------------------------------
Glenn Nielsen             [EMAIL PROTECTED] | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Re: [Bug 389] New - Security Issue? Important attributes exposed by ServletContext can be modified BugRat Report#682

Reply via email to
