Tomcat exploit attempt

[Len Popp <le...@gmail.com>]

Today I noticed in my access log file, for the first time, what looks
like an attempt to exploit a security vulnerability in Tomcat. I've
seen thousands of attempted exploits against software that I'm not
even running (IIS, SQL Server, PHP) but this is the first one I've
seen directed at Tomcat specifically.

I thought I'd mention it because it's unusual, and also to remind
people to make sure that webapps that aren't needed should be
undeployed, and ones not meant for public use should be blocked from
the internet. That includes manager, host-manager, webdav, balancer,
and the example webapps. And, of course, keep up to date with security
fixes.

The request in question was for the page "/manager/html". Here's how I
know it wasn't legitimate:
- There were no other requests from that IP, i.e. they didn't look at
any actual web pages on my site.
- The request had no User-Agent. That's a common feature of exploit
attempts, according to my logs.
- There have been a couple of XSS vulnerabilities reported recently in
the Manager webapp. I guess if the request for /manager/html had
returned something it would have been followed by an exploit for one
of these vulnerabilities.

Finally, don't be alarmed. I don't recall hearing about a *successful*
exploit against a Tomcat server. So don't worry, be happy. :-)
-- 
Len

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org