You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Jon Stevens <jo...@latchkey.com> on 2000/07/21 23:28:33 UTC

FW: Jakarta-tomcat.../admin

Here is another one...

Now that Tomcat is a target for ppl on Bugtraq. Let the games begin.

:-)

-jon

----------
From: Scott Morris <sm...@GRIDNET.COM>
Reply-To: Scott Morris <sm...@GRIDNET.COM>
Date: Fri, 21 Jul 2000 09:47:00 -0400
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Jakarta-tomcat.../admin

Summary:

Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.

Problem:

The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server.  Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.

Possible Solution:

1)  Do not run the Tomcat server as root
2)  Restrict access to the /admin context or remove it completely.


Scott Morris
UNIX Admin
Gridnet International
Key Fingerprint:  814E 7771 6EA9 6C94 B1C9  09C6 D86E 755E A0A9 1B67