On 07/12/2009 04:53, Saw Chee Hong wrote:
I seen this at one of apache website.
*[Summary]*
Apache Tomcat is prone to an insecure-password vulnerability in the Windows
installer. The administrative password defaults to a blank password during
the install process.
Attackers may exploit this issue to obtain administrative access to the
application. Other attacks may also be possible.
*
[Affected Version]*
Tomcat 6.0.0 through 6.0.20 and Tomcat 5.5.0 through 5.5.28 are vulnerable;
Unsupported versions in the 3.x, 4.x, 4.1.x, and 5.0.x branches may also be
affected.
*
[Solution/Workaround]*
The following workarounds are available:
1. Install the application via the .zip or .tar.gz distributions instead of
using the Windows installer method.
2. Remove the 'admin' user from 'tomcat-users.xml' after the Windows
installer has completed.
3. Edit the 'tomcat-users.xml' file to provide the 'admin' user with a
strong password after the Windows installer has completed.
Currently mytomcat version was 5.0.27. I have check the ‘tomcat-users.xml’
file and it doesn’t consist the ‘admin’ user in the file.
Then you are not at risk from *this particular* issue.
Does this mean that my tomcat is safe?
No idea. That's too open ended a question - we can't tell what else
you've done to it.
p
Thank you for answering my question.
Best Regards,
Saw Chee Hong
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
