-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aurélien,
On 2/26/15 5:23 AM, Aurélien Terrestris wrote: > I agree with Leon. As do I. Apache httpd can change the attack surface somewhat, but if requests can still come from an untrusted remote client through to the application server, then you still have to protect the application server. > That said, a service account with low privileges only gives > filesystem protection ; interesting data is usually stored in the > database and you won't be more protected against SQL injections or > even against a modified jsp stored by the hacker (like in some old > STRUTS vulnerabilities). Absolutely. SQL injections /should not/ be a problem with properly-written Java programs given how easy parameterized queries are with JDBC, but of course it's also easy to do it the wrong way and open yourself up. In this situation, it's the application that needs to be audited and not the container. > If you can't buy a real WAF, you still can configure Apache with > ModSecurity or even try the LUA experimental module ( > http://blog.river-tiger.com/cheapest-application-firewall ) but > don't expect high performance with it. I had never heard of the LUA hack. I'll have to look into it. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU7yLsAAoJEBzwKT+lPKRYgpMQALkhWLIO1r78d/jY/VixmTVI dNCszRrUl8JTwPMEmrr/Wk3aeq23850XxxmugHMss/bOXk1yh12OFh0i8isMWKsV l/KOLL11x7ToNBknVwHKh+OEU2TcMjXEHtc65a9komC90BDGHAsgT12xFOrRcJ4k mL8GEDW7xJbZocHHrfqc2Q0ZU3rw2eR8+gTgtf/y8YlCzrwlHvULEjfgtdD/h3fq 9uKn9Rp7Ebn4pmW1iarWXVsKf0l7buayMNBksshcJppSLLXaklefyas6fYC1LyuP /6TDpAIMWZuzDVZtDU4dzNpDy6F+DZEa0ErOK/1+CrfU0/t6uMJ9iJpM9PUs4p3g VXOWR1Bs6NG+mgGJLL3VYrUiww0CbhtllAX7CbZpYrFBERXA++xkhQPOZRP5bhcg 0DfUhS07JNYC8qmPPyXyeiuYYYhtjxanRBU+JxNa5hBlYqUklBHdMFNKhjaOe7+y scEEraNBw5x0KyfS3B+lVlmUX5iku0fgyQnxSGwR3Mt604qLn4ZXR04Tb9K282ve uhLa9F14qBGoGe5RIvs0MkvMEG9UpO9de6HuddE0CWa49Km5QCloEmM4WcwuDJNC Loc9RnHBTQEfQQuRHctKzCVgPRsNBcwSCKz9G12man7EBK9fkvve1L/ItKrt7V/T 1rKQjsU1kX1yAH+f7Epy =UPaz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
