tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Active malware exploits of tomcat manager app
Date Sat, 04 Oct 2008 13:54:51 GMT
David Tyler wrote:
> Given the widespread and increasing nature of this exploit, I think it would be prudent
of the tomcat devs to alter the default installation to disable the tomcat manager by default
or otherwise somehow require a non-default password to be set.  True, this is not a bug of
Tomcat, but it would help protect users if the default behavior prevented the inadvertent
opening of this backdoor entry point.

You appear to be mis-informed. There is no default Tomcat password.

The Tomcat binary distributions are already constructed as you are
suggesting and have been that way for as long as I can remember.

With the zip/tar install, the user has to manually edit tomcat-users.xml.
The user must also add the manager role to one of the users. In 6.0.x  the
user must also create a user as none are defined by default. None of the
default users is named admin.

With the Windows installer, an admin user is created but there is no
default password. The user must specify their own.

I am extremely interested to find out where you obtained your Tomcat
installations from as it could not have been an official Apache
distribution. Please let us know where you sourced them from so we can warn
the Tomcat user community to avoid them.

Kind regards,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message