-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 9/29/2011 5:59 PM, André Warnier wrote: > Addendum : And then we're gonna make sure that the configuration > files of Tomcat are given appropriate permissions so that only > Tomcat and authorized users can browse said secret. End of > addendum. While that's a good idea in general, it doesn't help prevent this attack unless there is a trusted insider. Setting the shared secret means that nobody entirely outside your environment can inject an AJP message into Tomcat. Read the bug report if you haven't already done so... it's quite a brilliant attack. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6F/94ACgkQ9CaO5/Lv0PCozwCcCu6BnHUq6EChu3VINrbONppg SYEAn1mPwXnmOsi52zSsMN+XPH9lvB0/ =LVAr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
