tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandros Kotsiras" <kotsi...@mediaondemand.com>
Subject !!!!! Security Bug in Tomcat ???
Date Fri, 21 Jul 2000 21:46:14 GMT


     Hello,
     I am  currently using Tomcat in a production environment and i am very
satisfied with it.
     I just received the following email  from my company's UNIX admin :


     -----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]
Sent: Friday, July 21, 2000 9:47 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Jakarta-tomcat.../admin


Summary:

Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.

Problem:

The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server.  Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.

Possible Solution:

1)  Do not run the Tomcat server as root
2)  Restrict access to the /admin context or remove it completely.


Since i am not a really an advanced user i would like to see a response from
the Tomcat gurus of the user-group.
BTW I am not running it as root.

Thanks,
Alex.


±˜˜˜°



Mime
View raw message