tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chanaka Dharmarathna <pe.chanaka...@gmail.com>
Subject Re: Security Issue in Tomcat
Date Fri, 12 Jul 2013 08:23:39 GMT
Hi Ognjen,

On 12.7.2013 6:51, Chanaka Dharmarathna wrote:
>
>> I'm using Tomcat 7.0.40 for hosted application. I have not configured any
>> user accounts for tomcat (admin, manager, user etc.). Recently my deployed
>> web application was damaged. Restarting tomcat recovered it back.
>>
>> But it seems someone tried to access my tomcat and delete some files(I
>> guess class file of index.jsp as mentioned in the log). I have added my
>> log
>> files [0], [1], [2] and [3]. Currently I have my jsp directory outside the
>> WEB-INF directory (yes, it's bad practice and I'll correct it).
>>
>
> Tomcat is complaining that it is not able to read class files of compiled
> JSPs (index.jsp, and 401.jsp). It is not clear how are those class files
> deleted -- was it through application security breach, Tomcat, OS or local
> user accidentally deleted them, or changed access privileges. From the log
> files I am unable to tell that.
>
> Keep in mind that if the attacker was able to modify Tomcat's work
> directory he was most certainly able to modify logs directory as well, so
> there is a possibility that log files are altered.
>
>
>
>  1. Do you see any issues after looking my log files ? May be due to a bad
>> configuration/practice etc.
>>
>
> For start, remove ALL web applications you don't need -- probably
> everything except your own application. If you don't use manager
> application, remove it. If you do need it, configure manager application to
> accept connections only from trusted IP addresses, use unexpected username
> (something different from "manager", "admin" or "tomcat"), and use strong
> password.
>
> Run Tomcat service always as unprivileged user (e.g. tomcat, not root).
>
> Start reading and practicing what is written here:
>
> http://tomcat.apache.org/**tomcat-7.0-doc/security-howto.**html<http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html>
>
>
>
>
>  2. And can someone delete files if there are no user accounts for tomcat ?
>>
>
> Tomcat process must be able to modify work, logs and temp directories, in
> order to work properly. Therefore, poorly written webapp, or (less likely)
> bug in Tomcat, may allow remote attacker to modify or delete files at least
> in those three directories. If other Tomcat directories are writable by
> user running Tomcat, attacker may also do other nasty things (alter JSPs,
> install new webapps and so on). In worst case, if you run your Tomcat
> service as user root, a bug in your webapp might allow attacker to take
> full control over your server.
>

Thanks for your valuable thoughts on this. I'll follow these instructions
to secure my tomcat.

Regards !
-- 
*Chanaka*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message