 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / September 2006can Tomcat be hacked?
I haven't found any cases mentioned on the web or on usenet. I'd think that Tomcat is impervious to the usual type of buffer overruns. But there could always be something. Never say never. So just to be safe, I'm asking if Tomcat running under Admin on my XP home computer is safe or not. Thanks. > I haven't found any cases mentioned on the web or on usenet. I'd think > that Tomcat is impervious to the usual type of buffer overruns. But > there could always be something. Never say never. > > So just to be safe, I'm asking if Tomcat running under Admin on my XP > home computer is safe or not. Thanks. Anything connected to the web can potentially be hacked. Buffer overruns is not an issue in Java. But SQL injection, XSS, session spoofing etc. can be. I seem to remember that there were problems in older Tomcat versions. Also be very carefull about various mananger/admin features in Tomcat itself and apps. Reading: http://tomcat.apache.org/faq/security.html http://www.theserverside.com/articles/content/TomcatSecurity/TomcatSecurity.pdf Arne > I haven't found any cases mentioned on the web or on usenet. I'd think > that Tomcat is impervious to the usual type of buffer overruns. But > there could always be something. Never say never. > > So just to be safe, I'm asking if Tomcat running under Admin on my XP > home computer is safe or not. Thanks. /No/ web facing program is ever safe. (OK, I admit that's an approximation -- but it's a damn good one) -- chris > I haven't found any cases mentioned on the web or on usenet. I'd think > that Tomcat is impervious to the usual type of buffer overruns. But > there could always be something. Never say never. > > So just to be safe, I'm asking if Tomcat running under Admin on my XP > home computer is safe or not. Thanks. I ran Apache2 in front of Tomcat to help out performance, security and flexibility.  SignatureThanks in Advance... IchBin, Pocono Lake, Pa, USA http://weconsultants.phpnet.us 'If there is one, Knowledge is the "Fountain of Youth"' -William E. Taylor, Regular Guy (1952-) > > I haven't found any cases mentioned on the web or on usenet. I'd think > > that Tomcat is impervious to the usual type of buffer overruns. But [quoted text clipped - 5 lines] > I ran Apache2 in front of Tomcat to help out performance, security and > flexibility. OK for flexibility and, in many case, for performance. But talking about the security of the web server itself (not about the security of the "web apps"), what exactly are the pros about running Apache + Tomcat when just Tomcat could do? I'm not saying there are no security advantages, I'm honestly asking what are, to you, the benefits from a security point of view of running Apache + Tomcat. For I can see at least two disadvantages: - you open yourself to buffer overflow/overrun exploits (Apache's security record on that one is definitely not clean) - you have to do the administration/configuration of two programs instead of one So I restate my question: in the case where the performance of Tomcat is way sufficient for me (*) and where I don't need the added flexibility that Apache provides, what exactly can Apache bring me from a security point of view that Tomcat can't? Thanks in advance for any detailed information, Alex (*) when Tomcat's perf aren't enough I use Resin, but that is another debate ;) > I haven't found any cases mentioned on the web or on usenet. I'd think > that Tomcat is impervious to the usual type of buffer overruns. But > there could always be something. Never say never. > > So just to be safe, I'm asking if Tomcat running under Admin on my XP > home computer is safe or not. Thanks. It's best to run no service as root/admin. Launch Tomcat or Apache and connect to a non-privileged port (8080 or something), then redirect packets from port 80 to port 8080 with the OS. Now nothing on the external socket actually has root privileges. > > So just to be safe, I'm asking if Tomcat running under Admin on my XP > > home computer is safe or not. Thanks. > > Launch Tomcat or Apache and > connect to a non-privileged port (8080 or something), then redirect > packets from port 80 to port 8080 with the OS. How can I redirect packets on XP? > > Launch Tomcat or Apache and > > connect to a non-privileged port (8080 or something), then redirect > > packets from port 80 to port 8080 with the OS. > > How can I redirect packets on XP? I don't think there's any need to do so -- Windows doesn't impose the Unix-y condition that you have to be root (= have admin permissions) to listen on low-numbered ports. So you should be able to run your server as a user with virtually no permissions, listening on port 80. -- chris > I haven't found any cases mentioned on the web or on usenet. I'd think > that Tomcat is impervious to the usual type of buffer overruns. But > there could always be something. Never say never. > > So just to be safe, I'm asking if Tomcat running under Admin on my XP > home computer is safe or not. Thanks. An attacker is likely to find it easier to attack servlets running on Tomcat (which are probably in development, and thus hopelessly insecure?) than Tomcat itself. Yes. It's a security risk. Alun Harford Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.