Chris,
On 25.11.2013 20:56, Christopher Schultz wrote:
<role rolename="manager-gui"/> <user username="tomcat"
password="s3cret" roles="manager-gui"/> ----
What most users do is to copy the XML example, and paste it into
tomcat-users.xml.
If that were the case, I would have expected to see "tomcat:s2cret"
listed in the worm's "obvious creds" list. Since it's not there, I
suppose that either it's not used very often in the wild or the
authors are not very smart.
This worm maybe does not, but I found references to that
username/password in wordlists[1], blogs[2,3] and books[4]. For me, that
is a sign that Tomcat should avoid using that particular example password.
-Ognjen
[1]
https://github.com/lattera/metasploit/blob/master/data/wordlists/tomcat_mgr_default_userpass.txt
[2]
http://www.socialseer.com/2013/07/14/watching-the-hackers-try-to-break-into-tomcat/
[3] http://x9090.blogspot.com/2012/09/a-case-study-of-tomcat-web-server.html
[4]
http://www.amazon.com/Hacking-Exposed-Network-Security-Solutions/dp/0071780289
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
