You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lorenzo Jiménez <lj...@nacion.co.cr> on 2005/04/13 22:18:56 UTC
Information on a hacked tomcat 5
Hi,
If someone in the net, found out, by any reason, our admin or manager user and password, what resources he can get besides turn on/off the apps, looking tomcat-users.xml?
Can he/she get info on the application context.xml like database user and passwords?
Can he/she deploy an exe or script for converting a server in a zombie?
Change the server init scripts?
Change the root password?
Thanks very much,
Lorenzo Jimenez
-------------------------------------------------------------
Si usted no es el destinatario indicado en este mensaje o responsable como persona
de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique
al correo infosegura@nacion.com. Para más referencia sobre términos importantes
relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm
If you are not the addressee indicated in this message (or responsible for delivery of the
message to such person), you may not copy or send this message to anyone, please notify
to infosegura@nacion.com. Click here for important additional terms relating to this e-mail.
<http://www.nacion.com/disclaimer/index_en2.htm>
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Information on a hacked tomcat 5
Posted by Mark Thomas <ma...@apache.org>.
It depends if these apps are visible to the internet. You can use a
remote address filter (actually a valve not a filter in the servlet API
sense of the word) to limit their accessibility.
If the apps are visible, an attacker with your manager password can
replace one of your trusted apps/deploy their own app which can do
anything allowed by your security policy and the permissions of the user
under which the tomcat process runs. Assuming they can then escalate
their access via some other vulnerability, getting root access is also
possible.
Things you can do to mitigate this risk
- configure a remote address filter for all admin sensitive apps (admin,
manager + any of your own)
- configure a security manager
and then test your configuration to make sure it does what you think it
does.
Depending on your OS there may be other things you can do to isolate the
tomcat process from the rest of the box.
Mark
Lorenzo Jiménez wrote:
> Hi,
>
> If someone in the net, found out, by any reason, our admin or manager user and password, what resources he can get besides turn on/off the apps, looking tomcat-users.xml?
>
> Can he/she get info on the application context.xml like database user and passwords?
> Can he/she deploy an exe or script for converting a server in a zombie?
> Change the server init scripts?
> Change the root password?
>
> Thanks very much,
>
> Lorenzo Jimenez
>
>
>
>
>
>
>
> -------------------------------------------------------------
>
> Si usted no es el destinatario indicado en este mensaje o responsable como persona
> de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique
> al correo infosegura@nacion.com. Para más referencia sobre términos importantes
> relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm
>
> If you are not the addressee indicated in this message (or responsible for delivery of the
> message to such person), you may not copy or send this message to anyone, please notify
> to infosegura@nacion.com. Click here for important additional terms relating to this e-mail.
> <http://www.nacion.com/disclaimer/index_en2.htm>
>
> -------------------------------------------------------------
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org