Re: Windows distribution vunerability

Mon, 26 Oct 2009 05:18:26 -0700

Confirmed. The docs are not in sync with what the installer does. We'll get this fixed in a future release.
In future, please report possible security issues privately rather than publicly. 

-Tim

David Norheim wrote:

Hi,


I would like someone's opinion on the following issue that we have 
discovered using the windows distribution of Tomcat 6. (tested for 
Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] )


The documentation for Tomcat 6 states


It would be quite unsafe to ship Tomcat with default settings that 
allowed anyone on the Internet to execute the Manager application on 
your server. Therefore, the Manager application is shipped with the 
requirement that anyone who attempts to use it must authenticate 
themselves, using a username and password that have the role manager 
associated with them. Further, there is no username in the default 
users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned 
this role. Therefore, access to the Manager application is completely 
disabled by default.





While installing the zip or tar.gz version of the binary distributions 
does not open for the manager application, the windows exe version does.



Having downloaded the exe version and started the wizard you get to 
screen where you are asked to enter Administrator Login username and 
password. The default settings leaves you with a tomcat-users.xml file 
that has the manager application enabled. Also there are (as far as I 
can see) no way to avoid this step in the installation wizard.



The net result is that you end up with an unsafe installation, having 
this statement in the tomcat-users.xml file


<user name="admin" password="" roles="admin,manager" />


This is as far as I can see related to some of the problems that has 
occurred in the past, notably [2] and we also had a situation related to 
this in our installation. As far as I can see there is nothing wrong 
with the distribution file itself - it seems to be valid in relation to 
the md5 file so this must have been a design choice.



Could someone please comment on this, and if there are any planned 
actions related to this.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to