I seen this at one of apache website. *[Summary]* Apache Tomcat is prone to an insecure-password vulnerability in the Windows installer. The administrative password defaults to a blank password during the install process.
Attackers may exploit this issue to obtain administrative access to the application. Other attacks may also be possible. * [Affected Version]* Tomcat 6.0.0 through 6.0.20 and Tomcat 5.5.0 through 5.5.28 are vulnerable; Unsupported versions in the 3.x, 4.x, 4.1.x, and 5.0.x branches may also be affected. * [Solution/Workaround]* The following workarounds are available: 1. Install the application via the .zip or .tar.gz distributions instead of using the Windows installer method. 2. Remove the 'admin' user from 'tomcat-users.xml' after the Windows installer has completed. 3. Edit the 'tomcat-users.xml' file to provide the 'admin' user with a strong password after the Windows installer has completed. Currently mytomcat version was 5.0.27. I have check the ‘tomcat-users.xml’ file and it doesn’t consist the ‘admin’ user in the file. Does this mean that my tomcat is safe? Thank you for answering my question. Best Regards, Saw Chee Hong
