tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Information on a hacked tomcat 5
Date Wed, 13 Apr 2005 20:42:04 GMT
It depends if these apps are visible to the internet. You can use a 
remote address filter (actually a valve not a filter in the servlet API 
sense of the word) to limit their accessibility.

If the apps are visible, an attacker with your manager password can 
replace one of your trusted apps/deploy their own app which can do 
anything allowed by your security policy and the permissions of the user 
under which the tomcat process runs. Assuming they can then escalate 
their access via some other vulnerability, getting root access is also 

Things you can do to mitigate this risk
- configure a remote address filter for all admin sensitive apps (admin, 
manager + any of your own)
- configure a security manager

and then test your configuration to make sure it does what you think it 

Depending on your OS there may be other things you can do to isolate the 
tomcat process from the rest of the box.


Lorenzo Jiménez wrote:
> Hi,
> If someone in the net, found out, by any reason, our admin or manager user and password,
what resources he can get besides turn on/off the apps, looking tomcat-users.xml?
> Can he/she get info on the application context.xml like database user and passwords?
> Can he/she deploy an exe or script for converting a server in a zombie?
> Change the server init scripts?
> Change the root password?
> Thanks very much,
> Lorenzo Jimenez
> -------------------------------------------------------------
> Si usted no es el destinatario indicado en este mensaje o responsable como persona 
> de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique

> al correo Para más referencia sobre términos importantes 
> relacionados a este correo visite
> If you are not the addressee indicated in this message (or responsible for delivery of
> message to such person), you may not copy or send this message to anyone, please notify
> to Click here for important additional terms relating to this
> <>
> -------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message