Security: default configuration limits HTTP do localhost, but misses globally available AJP

Question

Security: default configuration limits HTTP do localhost, but misses globally available AJP

Opened this issue 8 years ago · 1 comments

GoogleCodeExporter commented 8 years ago

The default configurations for the bundled tomcat from 
WebGoat-5.4-OWASP_Standard_Win32.zip are:

* For listening on port 80, tomcat\conf\server_80.xml
* For listening on port 8080, tomcat\conf\server_8080.xml

Both of those try to limit the exposure of the machine on which WebGoat is 
installed by limiting the HTTP connector to listening on local loopback 
interface:

     <Connector address="127.0.0.1" port="80" ...  />

However, what has been overlooked is that there's also an active AJP/13 
connector:

     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


This connector should also be limited to loopback interface:

     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <Connector address="127.0.0.1" port="8009" protocol="AJP/1.3" redirectPort="8443" />

Original issue reported on code.google.com by aleksand...@gmail.com on 13 May 2013 at 10:26

Answer 1 · 2016-02-17T22:53:45.000Z

Original comment by mayhe...@gmail.com on 18 Nov 2013 at 3:52

Changed state: Accepted