|
»
Windows distribution vunerability
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Windows distribution vunerability
by David Norheim
::
Rate this Message:
Hi,
I would like someone's opinion on the following issue that we have discovered using the windows distribution of Tomcat 6. (tested for Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] ) The documentation for Tomcat 6 states > It would be quite unsafe to ship Tomcat with default settings that > allowed anyone on the Internet to execute the Manager application on > your server. Therefore, the Manager application is shipped with the > requirement that anyone who attempts to use it must authenticate > themselves, using a username and password that have the role manager > associated with them. Further, there is no username in the default > users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned > this role. Therefore, access to the Manager application is > completely disabled by default. While installing the zip or tar.gz version of the binary distributions does not open for the manager application, the windows exe version does. Having downloaded the exe version and started the wizard you get to screen where you are asked to enter Administrator Login username and password. The default settings leaves you with a tomcat-users.xml file that has the manager application enabled. Also there are (as far as I can see) no way to avoid this step in the installation wizard. The net result is that you end up with an unsafe installation, having this statement in the tomcat-users.xml file <user name="admin" password="" roles="admin,manager" /> This is as far as I can see related to some of the problems that has occurred in the past, notably [2] and we also had a situation related to this in our installation. As far as I can see there is nothing wrong with the distribution file itself - it seems to be valid in relation to the md5 file so this must have been a design choice. Could someone please comment on this, and if there are any planned actions related to this. Best regards, David [1] http://archive.apache.org/dist/tomcat/tomcat-6/ [2] http://www.nabble.com/Possible-hack-tool-kit-on-tomcat-6.0.16-td18928896.html#a19811097 David Norheim Principal Engineer | Semantic Web Advocate Direct: +47 6783 1085 | Mobile: +47 95 94 69 49 Email: david.norheim@... Web: www.computas.com Computas AS Lysaker Torg 45, PO Box 482, N-1327 Lysaker Phone:+47 6783 1000 | Fax:+47 6783 1001 |
|
|
Re: Windows distribution vunerability
by Tim Funk-2
::
Rate this Message:
Confirmed. The docs are not in sync with what the installer does. We'll
get this fixed in a future release. In future, please report possible security issues privately rather than publicly. -Tim David Norheim wrote: > Hi, > > I would like someone's opinion on the following issue that we have > discovered using the windows distribution of Tomcat 6. (tested for > Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] ) > > The documentation for Tomcat 6 states > >> It would be quite unsafe to ship Tomcat with default settings that >> allowed anyone on the Internet to execute the Manager application on >> your server. Therefore, the Manager application is shipped with the >> requirement that anyone who attempts to use it must authenticate >> themselves, using a username and password that have the role manager >> associated with them. Further, there is no username in the default >> users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned >> this role. Therefore, access to the Manager application is completely >> disabled by default. > > > > While installing the zip or tar.gz version of the binary distributions > does not open for the manager application, the windows exe version does. > > Having downloaded the exe version and started the wizard you get to > screen where you are asked to enter Administrator Login username and > password. The default settings leaves you with a tomcat-users.xml file > that has the manager application enabled. Also there are (as far as I > can see) no way to avoid this step in the installation wizard. > > The net result is that you end up with an unsafe installation, having > this statement in the tomcat-users.xml file > > <user name="admin" password="" roles="admin,manager" /> > > This is as far as I can see related to some of the problems that has > occurred in the past, notably [2] and we also had a situation related to > this in our installation. As far as I can see there is nothing wrong > with the distribution file itself - it seems to be valid in relation to > the md5 file so this must have been a design choice. > > Could someone please comment on this, and if there are any planned > actions related to this. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Windows distribution vunerability
by Mark Thomas
::
Rate this Message:
Tim Funk wrote:
> Confirmed. The docs are not in sync with what the installer does. We'll > get this fixed in a future release. > > In future, please report possible security issues privately rather than > publicly. > > -Tim To complete the thread, this was announced as CVE-2009-3548. Mark > > David Norheim wrote: >> Hi, >> >> I would like someone's opinion on the following issue that we have >> discovered using the windows distribution of Tomcat 6. (tested for >> Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] ) >> >> The documentation for Tomcat 6 states >> >>> It would be quite unsafe to ship Tomcat with default settings that >>> allowed anyone on the Internet to execute the Manager application on >>> your server. Therefore, the Manager application is shipped with the >>> requirement that anyone who attempts to use it must authenticate >>> themselves, using a username and password that have the role manager >>> associated with them. Further, there is no username in the default >>> users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned >>> this role. Therefore, access to the Manager application is completely >>> disabled by default. >> >> >> >> While installing the zip or tar.gz version of the binary distributions >> does not open for the manager application, the windows exe version does. >> >> Having downloaded the exe version and started the wizard you get to >> screen where you are asked to enter Administrator Login username and >> password. The default settings leaves you with a tomcat-users.xml file >> that has the manager application enabled. Also there are (as far as I >> can see) no way to avoid this step in the installation wizard. >> >> The net result is that you end up with an unsafe installation, having >> this statement in the tomcat-users.xml file >> >> <user name="admin" password="" roles="admin,manager" /> >> >> This is as far as I can see related to some of the problems that has >> occurred in the past, notably [2] and we also had a situation related >> to this in our installation. As far as I can see there is nothing >> wrong with the distribution file itself - it seems to be valid in >> relation to the md5 file so this must have been a design choice. >> >> Could someone please comment on this, and if there are any planned >> actions related to this. >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
