Re: Windows distribution vunerability

[Mark Thomas <ma...@apache.org>]

Tim Funk wrote:
> Confirmed. The docs are not in sync with what the installer does. We'll
> get this fixed in a future release.
> 
> In future, please report possible security issues privately rather than
> publicly.
> 
> -Tim

To complete the thread, this was announced as CVE-2009-3548.

Mark

> 
> David Norheim wrote:
>> Hi,
>>
>> I would like someone's opinion on the following issue that we have
>> discovered using the windows distribution of Tomcat 6. (tested for
>> Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] )
>>
>> The documentation for Tomcat 6 states
>>
>>> It would be quite unsafe to ship Tomcat with default settings that
>>> allowed anyone on the Internet to execute the Manager application on
>>> your server. Therefore, the Manager application is shipped with the
>>> requirement that anyone who attempts to use it must authenticate
>>> themselves, using a username and password that have the role manager
>>> associated with them. Further, there is no username in the default
>>> users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned
>>> this role. Therefore, access to the Manager application is completely
>>> disabled by default.
>>
>>
>>
>> While installing the zip or tar.gz version of the binary distributions
>> does not open for the manager application, the windows exe version does.
>>
>> Having downloaded the exe version and started the wizard you get to
>> screen where you are asked to enter Administrator Login username and
>> password. The default settings leaves you with a tomcat-users.xml file
>> that has the manager application enabled. Also there are (as far as I
>> can see) no way to avoid this step in the installation wizard.
>>
>> The net result is that you end up with an unsafe installation, having
>> this statement in the tomcat-users.xml file
>>
>> <user name="admin" password="" roles="admin,manager" />
>>
>> This is as far as I can see related to some of the problems that has
>> occurred in the past, notably [2] and we also had a situation related
>> to this in our installation. As far as I can see there is nothing
>> wrong with the distribution file itself - it seems to be valid in
>> relation to the md5 file so this must have been a design choice.
>>
>> Could someone please comment on this, and if there are any planned
>> actions related to this.
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org