tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <>
Subject Re: Big security problem with Admin context in Tomcat?
Date Wed, 05 Jul 2000 04:07:49 GMT
Admin should be disable by default, I'll fix that.
( or at least require auth - but not with the default pass )


Alan P Sexton wrote:

> I am new to Tomcat and have just installed v3.1 on a WinNT4.0 system.
> Maybe I am missing something but:
> out of the box it has a /admin context.
> Connect to /admin and add a new context, say
>         Context Path /z
>         docBase C:\
> The admin servlet does not appear to do any authentication that the
> invoker has any rights to do this (other than the file permissions of
> the user account under which tomcat is running) but it succeeds and lets
> me read anything on the C: drive of the server machine. (I have tried
> this from other accounts over the web)
> You can also remove a container without any apparent checks and so shut
> down any servlets or the whole server.
> I presume this is not supposed to happen. While I can easily remove the
> admin context, I am concerned with 2 issues:
> 1: The admin context is available by default in the 3.1 tomcat
> distribution with no warning.
> 2: Even if /admin is not available, the tomcat API supports an admin style
> servlet that can modify the contexts in this way. I can think of a
> number of ways that this could be used by virus or trojan horse writers,
> particularly if people start distributing servlets, beans or packages
> such as the O'Reilly one. However, this may not be an issue because of
> the unsecured nature of servlets anyway (I am aware of servlet
> sandboxes but I do not think they are a solution to this problem).
> --
> Alan P. Sexton,
> University of Birmingham                Tel:   0121-414 3703
> School of Computer Science              Fax:   0121-414 4281
> Edgbaston, Birmingham B15 2TT, England  Email:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message