tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ricardo Bánffy <rica...@organic.com.br>
Subject RE: Tomcat 'out of the box' security issue
Date Sun, 16 Jul 2000 15:31:10 GMT
Hi Scott. The solution, albeit drastic, is simple. Either serve  thru Apache
(or iis) and restrict the access to the /admin context, or remove the
context and do your administration by hand (if you do it in Apache, you know
Tomcat is MUCH better)

-----Original Message-----
From: Scott Morris [mailto:smorris@Gridnet.com]
Sent: Friday, July 14, 2000 5:54 PM
To: 'tomcat-dev@jakarta.apache.org'
Subject: Tomcat 'out of the box' security issue


While doing a security audit recently, I decided to check Tomcat for the
../../ issue we were having with another service.  I was unable to get to
anything troubling, but I did notice that I got to:
http://mytomcatserver:8080/admin
I looked throught all my documentation and all FAQ's available, and found
nothing.  If such information exists, and I overlooked it, my apologies.
I realized that an arbitrary user could delete all my contexts and get
system information from the webapps in this directory.
That alone is not the worst thing in the world, but the fact that a context
can be created, possibly pointing to  a nasty directory ( / or c:\winnt )
did not sit well with me.
Had I been a good admin, I would have removed all non-necessary folders, but
this is not a production box, and is not on the web, so I did not.
My suggestion is that users be warned of the power of the admin apps so they
can either protect or remove them, If it were set up similarly to Samba's
SWAT, that would be great, but editing configs is just as good to me ;)
I did not post this to the user group because I see this as a security
problem, and felt the developers should announce this, or point me in the
right direction, as the bugzilla is still offline.....


Regards,
Scott Morris
UNIX Admin
Gridnet International


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message