Hi James,
see below:
Am 2019-10-21 23:34, schrieb James H. H. Lampert:
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
antiClickJackingOption
SAMEORIGIN
Mark mentioned it before, that can also go into your apps web.xml and
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
antiClickJackingOption
SAMEORIGIN
In the filter mapping section of the web.xml add the following.
httpHeaderSecurity
/*
REQUEST
Before I installed the above filte
Thanks to all who have responded (especially Mr. Schultz), and thanks in
advance to anybody else who responds. It will be a few more days before I can
act on the information. I'm not ignoring any of you; I'm gathering information
so I can solve the problem ASAP upon my return to work from my vac
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/2/19 01:34, jam...@touchtonecorp.com wrote:
> We have a customer who is particularly concerned about security.
>
> We just updated their Tomcat, which solved all the issues coming up
> in their security scan, except for one involving th
On 02/10/2019 07:05, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Tomcat 7.0.63 and above.
>
> Navigate to the tomcat conf directory and open the web.xml with a text editor.
If you edit $CATALINA_BASE/conf/web.xml that will apply to every web
application deployed on the Tomcat instance. You may
essee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
>
> ---
Sent: Wednesday, October 2, 2019 12:35 AM
To: Tomcat Users List
Subject: Security issue involving HTTP response headers
We have a customer who is particularly concerned about security.
We just updated their Tomcat, which solved all the issues coming up in their
security scan, except for one
We have a customer who is particularly concerned about security.
We just updated their Tomcat, which solved all the issues coming up in their
security scan, except for one involving the following HTTP headers:
X-FRAME-OPTIONS
X-XSS-PROTECTION
X-CONTENT-TYPE-OPTIONS
and strict transport security
gt; Date: Fri, 12 Jul 2013 13:53:39 +0530
> Subject: Re: Security Issue in Tomcat
> From: pe.chanaka...@gmail.com
> To: users@tomcat.apache.org
>
> Hi Ognjen,
>
> On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
> >
> >> I'm using Tomcat 7.0.40 for hosted
Hi Ognjen,
On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
>
>> I'm using Tomcat 7.0.40 for hosted application. I have not configured any
>> user accounts for tomcat (admin, manager, user etc.). Recently my deployed
>> web application was damaged. Restarting tomcat recovered it back.
>>
>> But it s
Chanaka,
On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
I'm using Tomcat 7.0.40 for hosted application. I have not configured any
user accounts for tomcat (admin, manager, user etc.). Recently my deployed
web application was damaged. Restarting tomcat recovered it back.
But it seems someone tri
Hi All,
I'm using Tomcat 7.0.40 for hosted application. I have not configured any
user accounts for tomcat (admin, manager, user etc.). Recently my deployed
web application was damaged. Restarting tomcat recovered it back.
But it seems someone tried to access my tomcat and delete some files(I
gue
2012/9/30 Konstantin Kolinko :
> 2012/9/28 Christopher Schultz :
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Konstantin,
>>
>> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>>> 2012/9/28 Joan Morales :
>>>> Hi,
>&g
2012/9/28 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Konstantin,
>
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012/9/28 Joan Morales :
>>> Hi,
>>>
>>> I have a security issue (hijack session) with JSESSI
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joan,
On 9/28/12 1:27 PM, Joan Morales wrote:
> I already try with AJP, but I cant get rid of the JSESSIONID cookie
> either
Can you please describe your configuration for that scenario again?
Your original description was a bit hard to follow.
- -c
ntin Kolinko wrote:
>> 2012/9/28 Joan Morales :
>>> Hi,
>>>
>>> I have a security issue (hijack session) with JSESSIONID cookie,
>>>
>>> here is the problem:
>>>
>>> I am using an architecture with an Apache2 server in front of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
> 2012/9/28 Joan Morales :
>> Hi,
>>
>> I have a security issue (hijack session) with JSESSIONID cookie,
>>
>> here is the problem:
>>
>> I am
Hi Joan,
"cookie", from my understanding, uses the
SSL session-ID as the cookie-value in the Tomcat container. This value
will be different from what Apache assigns on the front-end SSL connection
to the browser (as Konstantin pointed out). With tracking-mode COOKIE, I
believe, a JSESSIONID cook
I put the
SSL because I thought It was necessary to handle
the SSL on TC, anyways I'll change It to COOKIE and see what happens.
Another couple of ideas were to use a Valve for SSL on TC or enable the
mod_header on Apache, but any idea on how this would help?
Thanks,
Joan
--
Joan Morales
Hi Joan,
What happens when you change the web.xml settings to:
--web.xml:
30
COOKIE
--
Thanks.
-Shanti
On Fri, Sep 28, 2012 at 10:58 AM, Konstantin Kolinko wrote:
> 2012/9/28 Martin Gainty :
> >
> > that is NOT what
2012/9/28 Martin Gainty :
>
> that is NOT what the op asked for
>
> if the OP is implementing ssl via her FE Apache then she needs to implement
> and config mod-ssl on that FE apache server
>
> You need to Understand what the op environment is before criticising the
> solution
> Martin
The OP as
Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
> Date: Fri, 28 Sep 2012 20:52:14 +0800
> Subject: RE: Security issue regarding JSESSIONID cookie
> From: malibo8...@gmail
2012/9/28 Joan Morales :
> Hi,
>
> I have a security issue (hijack session) with JSESSIONID cookie,
>
> here is the problem:
>
> I am using an architecture with an Apache2 server in front of Tomcat, I
> have configured the SSL in both sides Apache(ssl_module) and
> To
ents
> > >
> > > with regards to external hosts i would suggest you deny all and allow
> > > secure access to only TC host to the secure folder of apache
> > >
> > > Buena Suerte,
> > > Martin
> > > _
> secure access to only TC host to the secure folder of apache
> >
> > Buena Suerte,
> > Martin
> > __
> > Porfavor..no altere ni interrumptir esta communicacion..Gracias
> >
> >
> > > From: joan@gmail.com
> > >
favor..no altere ni interrumptir esta communicacion..Gracias
>
>
> > From: joan@gmail.com
> > Date: Fri, 28 Sep 2012 13:20:05 +0200
> > Subject: Security issue regarding JSESSIONID cookie
> > To: users@tomcat.apache.org
> >
> > Hi,
> >
> > I
pache
Buena Suerte,
Martin
__
Porfavor..no altere ni interrumptir esta communicacion..Gracias
> From: joan@gmail.com
> Date: Fri, 28 Sep 2012 13:20:05 +0200
> Subject: Security issue regarding JSESSIONID cookie
> To: users@tomcat.a
On 26/10/2010 03:42, ww...@ogcio.gov.hk wrote:
>
> Dear Sir/Madam,
>
> Recently it has been checked that there is security vulnerability for
> the tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1.
>
> From the link below, it is recommended to upgrade to 5.5.28.
>
> http://marc.info/?l=tom
Yes.
Thanks & regards,
Wilson Fu
Tel: 3182 6675
ww...@ogcio.gov.hk
26.10.2010 10:42
Please respond to
"Tomcat Users List"
To
users@tomcat.apache.org
cc
Subject
Help on upgrade tomcat bundled with JBoss for resolving tomcat security
issue -[SECURITY] CVE-2008-5515 Req
Dear Sir/Madam,
Recently it has been checked that there is security vulnerability for the
tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1.
>From the link below, it is recommended to upgrade to 5.5.28.
http://marc.info/?l=tomcat-user&m=124449799021571&w=2
We have tried to upgrade the
i think it's the real problem since the application is compiled using jdk 1.6
and it's runned under jdk 1.5 but for now there's no way to change because
we are migrating to 1.6
--
View this message in context:
http://www.nabble.com/tomcat-5.5.20-security-issue-tp20661073p20677894
aymen83 schrieb am 24.11.2008 um 05:45:11 (-0800):
> I???m trying to run a web service on tomcat 5.5.20 but I have this
> error. I???m not expert in tomcat so if someone can help me?
>
> java.lang.NoClassDefFoundError:
> com/sun/org/apache/xml/internal/security/Init
>
> at
> com.sun.xml.w
BEN HMIDA aymen schrieb am 24.11.2008 um 16:24:35 (+0100):
> I tried to download the xmlsec.jar and placed it in my WEB-INF/lib but
> no success
Did you get one of these?
http://xml.apache.org/security/dist/java-library/
In order to register your security provider, you may have to do some
editin
ut no
success
-Message d'origine-
De : Caldarale, Charles R [mailto:[EMAIL PROTECTED]
Envoyé : lundi 24 novembre 2008 16:16
À : Tomcat Users List
Objet : RE: tomcat 5.5.20 security issue
> From: aymen83 [mailto:[EMAIL PROTECTED]
> Subject: tomcat 5.5.2
> From: aymen83 [mailto:[EMAIL PROTECTED]
> Subject: tomcat 5.5.20 security issue
>
>
> java.lang.NoClassDefFoundError:
> com/sun/org/apache/xml/internal/security/Init
Move up to a 1.6 JVM. It appears the version of Spring you're using is
expecting to have the 1.6 librar
I'm using sun jvm 1.5 and the os is windows XP
-Message d'origine-
De : Peter Crowther [mailto:[EMAIL PROTECTED]
Envoyé : lundi 24 novembre 2008 14:59
À : 'Tomcat Users List'
Objet : RE: tomcat 5.5.20 security issue
> From: Serge Fonville [mailto:[EMAIL
> From: Serge Fonville [mailto:[EMAIL PROTECTED]
> Just a few questions off the top off my head:
... and to add another one:
> What is your OS
What is your Java virtual machine? In particular, are you using a non-Sun JVM
such as GCJ?
- Peter
--
origine-
De : Serge Fonville [mailto:[EMAIL PROTECTED]
Envoyé : lundi 24 novembre 2008 14:52
À : Tomcat Users List
Objet : Re: tomcat 5.5.20 security issue
Just a few questions off the top off my head:Where do you get the error
How did you configure tomcat
When do you get the error
What appl
gt; org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
>
> at
>
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
>
>at
>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.
/tomcat-5.5.20-security-issue-tp20661073p20661073.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional
Hi,
Suneet Shah wrote:
Hello,
I am trying to call an EJB from tomcat 5.5.20. The EJB is is located on
Websphere 6.1. I am able to get the JNDI context, but when I lookup the
bean, I get the exception below. I confirmed that its not a classpath
issue
as the ibmorb.jar, which contains the UtilD
Hello,
I am trying to call an EJB from tomcat 5.5.20. The EJB is is located on
Websphere 6.1. I am able to get the JNDI context, but when I lookup the
bean, I get the exception below. I confirmed that its not a classpath issue
as the ibmorb.jar, which contains the UtilDelegateImpl class, is in th
Frank Peters wrote:
> Hi,
>
> I found the following security issue at security focus:
>
> http://www.securityfocus.com/bid/19106/info
>
> In my opinion, this issue is fixed with #37150 in 5.5.13 because directory
> listing is disabled by default, isn't it?
>
Hi,
I found the following security issue at security focus:
http://www.securityfocus.com/bid/19106/info
In my opinion, this issue is fixed with #37150 in 5.5.13 because directory
listing is disabled by default, isn't it?
Regards
Frank
--
"Feel free" – 10 GB Mailbox, 10
44 matches
Mail list logo
