|
|
|
|
06-08-2005, 10:12 PM
|
#1 |
Jetty Vulnerabilities?
Hi,
The Jetty HTTP server is supposed to be more secure and robust than APACHE, Tomcat. Is there any place where i could find what attacks Jetty is vulnerable to and if there are any holes which would compromise the security of the web applications. Thanks. Clementine |
|
|
|
06-08-2005, 10:41 PM
|
#2 |
|
Posts: n/a
|
Re: Jetty Vulnerabilities?
"Clementine" <> writes:
>Hi, >The Jetty HTTP server is supposed to be more secure and robust than >APACHE, Tomcat. Is there any place where i could find what attacks >Jetty is vulnerable to and if there are any holes which would >compromise the security of the web applications. If they knew what holes there were they would presumably be plugged. Certainly the known holes in apache are plugged. It is the unknown holes that are the problem. And you will have a hard time finding a list of the unknown holes. Unruh |
|
|
|
06-09-2005, 03:07 AM
|
#3 |
|
Posts: n/a
|
Re: Jetty Vulnerabilities?
Clementine wrote:
> Hi, > The Jetty HTTP server is supposed to be more secure and robust than > APACHE, Tomcat. Is there any place where i could find what attacks > Jetty is vulnerable to and if there are any holes which would > compromise the security of the web applications. > > Thanks. > http://secunia.com/product/376/ They only show one unfixed vulnerability relating to directory transversal and reading of arbitrary files on the web server that has a partial fix. in 3.0/4.0. This is considered a medium critical flaw that has not been patched. The vulnerability has been open since March 04. They don't appear to have a great record fixing the issue since it occurred inversion 3.x and 4.0 and in excess of a year old. That said, it may be they can't fix the vulnerability due to how the product operates. I would have to weigh the criticality and data exposure against my needs before I used it. I would be very careful in my considerations with mission critical, sensitive applications, or with private data. But Jetty might be ideal for an easy to use/maintain application for inter-office/ subnet communications for example.I would not use this for any server requiring medium to high security. Looking at the numbers it will not handle industrial strength workloads but for light loads it appears to be more than adequate. Not sure how valuable my feed back is as I have never "used" the product. I will remedy this as I have just downloaded the product to get familiar with. There may be niches jetty might be useful for. Thanks, Winged Winged |
|
|
|
06-09-2005, 10:20 PM
|
#4 |
|
Posts: n/a
|
Re: Jetty Vulnerabilities?
Thanks winged!
>I would not use this for any server requiring medium to high security. I tried some of the XSS attacks and SQL injections in my own network which uses a jetty server and I can say it does a good job of escaping HTML and javascript even in its error pages and takes care of other things which make such servers vulnerable. I'm not quite sure if this server is more secure than Tomcat and other servers...but looks pretty good. Clementine |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Computer Security Information and What You Can Do To Keep Your SystemSafe! | Ann.Anderson.group.com@gmail.com | A+ Certification | 0 | 12-06-2007 01:55 AM |
| Computer Security | aldrich.chappel.com.use@gmail.com | A+ Certification | 0 | 11-27-2007 02:11 AM |
