Apache Tomcat Windows Installer Insecure Password Vulnerability

[Saw Chee Hong <sa...@gmail.com>]

I seen this at one of apache website.

*[Summary]*
Apache Tomcat is prone to an insecure-password vulnerability in the Windows
installer.  The administrative password defaults to a blank password during
the install process.

Attackers may exploit this issue to obtain administrative access to the
application.  Other attacks may also be possible.
*
[Affected Version]*
Tomcat 6.0.0 through 6.0.20 and Tomcat 5.5.0 through 5.5.28 are vulnerable;
Unsupported versions in the 3.x, 4.x, 4.1.x, and 5.0.x branches may also be
affected.

*
[Solution/Workaround]*

The following workarounds are available:

1. Install the application via the .zip or .tar.gz distributions instead of
using the Windows installer method.

2. Remove the 'admin' user from 'tomcat-users.xml' after the Windows
installer has completed.

3. Edit the 'tomcat-users.xml' file to provide the 'admin' user with a
strong password after the Windows installer has completed.

Currently mytomcat version was 5.0.27. I have check the ‘tomcat-users.xml’
file and it doesn’t consist the ‘admin’ user in the file.

Does this mean that my tomcat is safe?

Thank you for answering my question.

Best Regards,
Saw Chee Hong

Re: Apache Tomcat Windows Installer Insecure Password Vulnerability

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

On 12/7/2009 5:23 AM, Pid wrote:
> On 07/12/2009 04:53, Saw Chee Hong wrote:
>> Currently mytomcat version was 5.0.27. I have check the 
>> ‘tomcat-users.xml’ file and it doesn’t consist the ‘admin’ user in
>> the file.
> 
> Then you are not at risk from *this particular* issue.

+1

>> Does this mean that my tomcat is safe?
> 
> No idea.  That's too open ended a question - we can't tell what else
> you've done to it.

+1

Please note that Tomcat 5.0 is no longer supported. There could be
unpatched security vulnerabilities in your version that will /never be
fixed/ due to its "unsupported" status.

You should upgrade to Tomcat 6.0 at your earliest convenience.

... and make sure you re-check the tomcat-users.xml file. Better yet,
delete it and don't use it ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksedQ4ACgkQ9CaO5/Lv0PAjnACffIS/MQbAbHuLrelAsQgPC7eI
ZIIAoIQhj1ymXRINljjQIUU9GsWW56Ja
=NKvu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Apache Tomcat Windows Installer Insecure Password Vulnerability

[Pid <pi...@pidster.com>]

On 07/12/2009 04:53, Saw Chee Hong wrote:
> I seen this at one of apache website.
>
> *[Summary]*
> Apache Tomcat is prone to an insecure-password vulnerability in the Windows
> installer.  The administrative password defaults to a blank password during
> the install process.
>
> Attackers may exploit this issue to obtain administrative access to the
> application.  Other attacks may also be possible.
> *
> [Affected Version]*
> Tomcat 6.0.0 through 6.0.20 and Tomcat 5.5.0 through 5.5.28 are vulnerable;
> Unsupported versions in the 3.x, 4.x, 4.1.x, and 5.0.x branches may also be
> affected.
>
> *
> [Solution/Workaround]*
>
> The following workarounds are available:
>
> 1. Install the application via the .zip or .tar.gz distributions instead of
> using the Windows installer method.
>
> 2. Remove the 'admin' user from 'tomcat-users.xml' after the Windows
> installer has completed.
>
> 3. Edit the 'tomcat-users.xml' file to provide the 'admin' user with a
> strong password after the Windows installer has completed.
>
> Currently mytomcat version was 5.0.27. I have check the ‘tomcat-users.xml’
> file and it doesn’t consist the ‘admin’ user in the file.

Then you are not at risk from *this particular* issue.

> Does this mean that my tomcat is safe?

No idea.  That's too open ended a question - we can't tell what else 
you've done to it.


p


> Thank you for answering my question.
>
> Best Regards,
> Saw Chee Hong
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org