tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandros Kotsiras" <kotsi...@mediaondemand.com>
Subject RE: !!!!! Security Bug in Tomcat ???
Date Sat, 22 Jul 2000 00:35:31 GMT
OK it seems that it really works.
Can you please tell me how do i remove the admin context ? ?
I can't find in the server.xml an entry like the other contexts:

e.g.
<Context path="/examples" docBase="webapps/examples" debug="0"
reloadable="true" >
        </Context>

Another brute approach would be to disable the built-in server on 8080 ?
Since "/admin" is not accesible through Apache unless you define it in
tomcat-apache.conf ? ?



-----Original Message-----
From: Jeremy Boyd [mailto:jboyd@docmagic.com]
Sent: Friday, July 21, 2000 6:54 PM
To: 'tomcat-user@jakarta.apache.org'
Subject: RE: !!!!! Security Bug in Tomcat ???


Yep... I did it and it worked... Regardless of permissions I was able to
browse all directories.  However I was only able to view .jsp .html .gif
.jpg pages from within the directories.

I'm just planning on deleting the admin context... I'd rather edit the xml
anyway.


-----Original Message-----
From: Alexandros Kotsiras [mailto:kotsiras@mediaondemand.com]
Sent: Friday, July 21, 2000 2:46 PM
To: tomcat-user@jakarta.apache.org
Subject: !!!!! Security Bug in Tomcat ???




     Hello,
     I am  currently using Tomcat in a production environment and i am very
satisfied with it.
     I just received the following email  from my company's UNIX admin :


     -----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]
Sent: Friday, July 21, 2000 9:47 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Jakarta-tomcat.../admin


Summary:

Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.

Problem:

The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server.  Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.

Possible Solution:

1)  Do not run the Tomcat server as root
2)  Restrict access to the /admin context or remove it completely.


Since i am not a really an advanced user i would like to see a response from
the Tomcat gurus of the user-group.
BTW I am not running it as root.

Thanks,
Alex.


±~~~°


Mime
View raw message