tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandros Kotsiras" <>
Subject RE: !!!!! Security Bug in Tomcat ???
Date Sat, 22 Jul 2000 00:35:31 GMT
OK it seems that it really works.
Can you please tell me how do i remove the admin context ? ?
I can't find in the server.xml an entry like the other contexts:

<Context path="/examples" docBase="webapps/examples" debug="0"
reloadable="true" >

Another brute approach would be to disable the built-in server on 8080 ?
Since "/admin" is not accesible through Apache unless you define it in
tomcat-apache.conf ? ?

-----Original Message-----
From: Jeremy Boyd []
Sent: Friday, July 21, 2000 6:54 PM
To: ''
Subject: RE: !!!!! Security Bug in Tomcat ???

Yep... I did it and it worked... Regardless of permissions I was able to
browse all directories.  However I was only able to view .jsp .html .gif
.jpg pages from within the directories.

I'm just planning on deleting the admin context... I'd rather edit the xml

-----Original Message-----
From: Alexandros Kotsiras []
Sent: Friday, July 21, 2000 2:46 PM
Subject: !!!!! Security Bug in Tomcat ???

     I am  currently using Tomcat in a production environment and i am very
satisfied with it.
     I just received the following email  from my company's UNIX admin :

     -----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]
Sent: Friday, July 21, 2000 9:47 AM
Subject: Jakarta-tomcat.../admin


Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.


The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server.  Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.

Possible Solution:

1)  Do not run the Tomcat server as root
2)  Restrict access to the /admin context or remove it completely.

Since i am not a really an advanced user i would like to see a response from
the Tomcat gurus of the user-group.
BTW I am not running it as root.



View raw message