tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [OT] Symantic has a first tomcat worm ;-)
Date Tue, 26 Nov 2013 10:53:08 GMT
Ognjen Blagojevic wrote:
> Chris,
> 
> On 25.11.2013 20:56, Christopher Schultz wrote:
>>> <role rolename="manager-gui"/> <user username="tomcat"
>>> password="s3cret" roles="manager-gui"/> ----
>>>
>>> What most users do is to copy the XML example, and paste it into
>>> tomcat-users.xml.
>>
>> If that were the case, I would have expected to see "tomcat:s2cret"
>> listed in the worm's "obvious creds" list. Since it's not there, I
>> suppose that either it's not used very often in the wild or the
>> authors are not very smart.
> 
> This worm maybe does not, but I found references to that 
> username/password in wordlists[1], blogs[2,3] and books[4]. For me, that 
> is a sign that Tomcat should avoid using that particular example password.
> 
> -Ognjen
> 
> 
> [1] 
> https://github.com/lattera/metasploit/blob/master/data/wordlists/tomcat_mgr_default_userpass.txt

> 
> [2] 
> http://www.socialseer.com/2013/07/14/watching-the-hackers-try-to-break-into-tomcat/ 
> 
> [3] 
> http://x9090.blogspot.com/2012/09/a-case-study-of-tomcat-web-server.html
> [4] 
> http://www.amazon.com/Hacking-Exposed-Network-Security-Solutions/dp/0071780289 
> 

My company has been distributing an (external) software package for 30 years.  In the 
standard distributive, there are 3 users defined with 3 standard passwords, to use for the

initial demo and user training.  The documentation has a prominent section in capitals and

red color that says that the passwords of these users should be changed, or these users 
deleted as soon as the initial testing phase is over.
When I go visit customers however, about 50% of them still have these users enabled with 
the original passwords, even at some very security-conscious places.

Users are like that.

So yes, by any means, have the Manager disabled by default, even when subsequently enabled

restrict it by default to localhost, and in the documentation and examples, use some 
password that is guaranteed NOT to work and MUST be changed. "******" may be a good way to

suggest that it has to be changed, though I am sure that there will be users trying it 
literally.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message