Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
From: Alan P Sexton <A.P.Sexton@cs.bham.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Date: Mon,  3 Jul 2000 22:21:22 +0100 (BST)
To: tomcat-dev@jakarta.apache.org
Subject: Big security problem with Admin context in Tomcat?
Message-ID: <14688.62089.123872.142107@jock.cs.bham.ac.uk>


I am new to Tomcat and have just installed v3.1 on a WinNT4.0 system.
Maybe I am missing something but:

out of the box it has a /admin context.
Connect to /admin and add a new context, say
	Context Path /z
	docBase C:\

The admin servlet does not appear to do any authentication that the
invoker has any rights to do this (other than the file permissions of
the user account under which tomcat is running) but it succeeds and lets
me read anything on the C: drive of the server machine. (I have tried
this from other accounts over the web)

You can also remove a container without any apparent checks and so shut
down any servlets or the whole server.

I presume this is not supposed to happen. While I can easily remove the
admin context, I am concerned with 2 issues:

1: The admin context is available by default in the 3.1 tomcat
distribution with no warning.

2: Even if /admin is not available, the tomcat API supports an admin style
servlet that can modify the contexts in this way. I can think of a
number of ways that this could be used by virus or trojan horse writers, 
particularly if people start distributing servlets, beans or packages
such as the O'Reilly one. However, this may not be an issue because of
the unsecured nature of servlets anyway (I am aware of servlet
sandboxes but I do not think they are a solution to this problem).

-- 

Alan P. Sexton,
University of Birmingham		Tel:   0121-414 3703
School of Computer Science		Fax:   0121-414 4281
Edgbaston, Birmingham B15 2TT, England	Email: A.P.Sexton@cs.bham.ac.uk