You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Carlos Gaston Alvarez <ga...@tournet.com.ar> on 2001/08/24 21:10:34 UTC

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

Just a security issue.
Confirm that you are not listening only the necessary characters to know
that it doesnt match, that you are listening more. Because if you stop it
just when you know it will not match a hacker can easyly guest with is the
password. You should have a (big) min to listen before stopping it.
Sorry is this mail is useless (most probably), just a thought.

Chau,

Gaston


----- Original Message -----
From: "Pier P. Fumagalli" <pi...@betaversion.org>
To: <to...@jakarta.apache.org>
Sent: Tuesday, August 21, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java


> Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> >> craigmcc    01/08/21 11:51:52
> >>
> >>   Modified:    catalina/src/share/org/apache/catalina/core
> >>                         StandardServer.java
> >>   Log:
> >>   Fix for a DoS attack against the shutdown port, that could cause an
"out
> >>   of memory" exception by sending a continuous stream of characters.
Now,
> >>   Tomcat will only listen for enough characters to match or not-match
the
> >>   required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
>
> Good point... :(
>
>     Pier
>

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

Posted by Carlos Gaston Alvarez <ga...@tournet.com.ar>.

forget it, I saw the other answers. Sorry.

----- Original Message -----
From: "Carlos Gaston Alvarez" <ga...@tournet.com.ar>
To: <to...@jakarta.apache.org>
Sent: Friday, August 24, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java


> Just a security issue.
> Confirm that you are not listening only the necessary characters to know
> that it doesnt match, that you are listening more. Because if you stop it
> just when you know it will not match a hacker can easyly guest with is the
> password. You should have a (big) min to listen before stopping it.
> Sorry is this mail is useless (most probably), just a thought.
>
> Chau,
>
> Gaston
>
>