tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <>
Subject Re: Security Issue in Tomcat
Date Fri, 12 Jul 2013 07:54:30 GMT

On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
> I'm using Tomcat 7.0.40 for hosted application. I have not configured any
> user accounts for tomcat (admin, manager, user etc.). Recently my deployed
> web application was damaged. Restarting tomcat recovered it back.
> But it seems someone tried to access my tomcat and delete some files(I
> guess class file of index.jsp as mentioned in the log). I have added my log
> files [0], [1], [2] and [3]. Currently I have my jsp directory outside the
> WEB-INF directory (yes, it's bad practice and I'll correct it).

Tomcat is complaining that it is not able to read class files of 
compiled JSPs (index.jsp, and 401.jsp). It is not clear how are those 
class files deleted -- was it through application security breach, 
Tomcat, OS or local user accidentally deleted them, or changed access 
privileges. From the log files I am unable to tell that.

Keep in mind that if the attacker was able to modify Tomcat's work 
directory he was most certainly able to modify logs directory as well, 
so there is a possibility that log files are altered.

> 1. Do you see any issues after looking my log files ? May be due to a bad
> configuration/practice etc.

For start, remove ALL web applications you don't need -- probably 
everything except your own application. If you don't use manager 
application, remove it. If you do need it, configure manager application 
to accept connections only from trusted IP addresses, use unexpected 
username (something different from "manager", "admin" or "tomcat"), and 
use strong password.

Run Tomcat service always as unprivileged user (e.g. tomcat, not root).

Start reading and practicing what is written here:

> 2. And can someone delete files if there are no user accounts for tomcat ?

Tomcat process must be able to modify work, logs and temp directories, 
in order to work properly. Therefore, poorly written webapp, or (less 
likely) bug in Tomcat, may allow remote attacker to modify or delete 
files at least in those three directories. If other Tomcat directories 
are writable by user running Tomcat, attacker may also do other nasty 
things (alter JSPs, install new webapps and so on). In worst case, if 
you run your Tomcat service as user root, a bug in your webapp might 
allow attacker to take full control over your server.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message