tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandros Kotsiras" <>
Subject !!!!! Security Bug in Tomcat ???
Date Fri, 21 Jul 2000 21:46:14 GMT

     I am  currently using Tomcat in a production environment and i am very
satisfied with it.
     I just received the following email  from my company's UNIX admin :

     -----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]
Sent: Friday, July 21, 2000 9:47 AM
Subject: Jakarta-tomcat.../admin


Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.


The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server.  Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.

Possible Solution:

1)  Do not run the Tomcat server as root
2)  Restrict access to the /admin context or remove it completely.

Since i am not a really an advanced user i would like to see a response from
the Tomcat gurus of the user-group.
BTW I am not running it as root.



View raw message