On 2015-02-26 Christopher Schultz wrote: > On 2/26/15 5:23 AM, Aurélien Terrestris wrote: > > I agree with Leon. > > As do I. Apache httpd can change the attack surface somewhat, but if > requests can still come from an untrusted remote client through to the > application server, then you still have to protect the application > server.
ok, makes sense > > > That said, a service account with low privileges only gives > > filesystem protection ; interesting data is usually stored in the > > database and you won't be more protected against SQL injections or > > even against a modified jsp stored by the hacker (like in some old > > STRUTS vulnerabilities). > > Absolutely. SQL injections /should not/ be a problem with > properly-written Java programs given how easy parameterized queries > are with JDBC, but of course it's also easy to do it the wrong way > and open yourself up. In this situation, it's the application that > needs to be audited and not the container. nicely written, +1 Jan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org