You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/11/11 12:25:50 UTC

svn commit: r1540670 - /tomcat/trunk/webapps/docs/security-howto.xml

Author: markt
Date: Mon Nov 11 11:25:50 2013
New Revision: 1540670

URL: http://svn.apache.org/r1540670
Log:
Add more detail to the security how-to

Modified:
    tomcat/trunk/webapps/docs/security-howto.xml

Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1540670&r1=1540669&r2=1540670&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Mon Nov 11 11:25:50 2013
@@ -72,10 +72,74 @@
   </section>
 
   <section name="Default web applications">
-    <p>Tomcat ships with a number of web applications by default.
-    Vulnerabilities have been discovered in these applications in the past.
-    Applications that are not required should be removed so the system will not
-    be at risk if another vulnerability is discovered.</p>
+
+    <subsection name="General">
+      <p>Tomcat ships with a number of web applications that are enabled by
+      default. Vulnerabilities have been discovered in these applications in the
+      past. Applications that are not required should be removed so the system
+      will not be at risk if another vulnerability is discovered.</p>
+    </subsection>
+
+    <subsection name="ROOT">
+      <p>The ROOT web application presents a very low security risk but it does
+      include the version of Tomcat that is being used. The ROOT web application
+      should normally be removed from a publicly accessible Tomcat instance, not
+      for security reasons, but so that a more appropriate default page is shown
+      to users.</p>
+    </subsection>
+
+    <subsection name="Documentation">
+      <p>The documentation web application presents a very low security risk but
+      it does identify the version of Tomcat that is being used. It should
+      normally be removed from a publicly accessible Tomcat instance.</p>
+    </subsection>
+
+    <subsection name="Examples">
+      <p>The examples web application should always be removed from any security
+      sensitive installation. While the examples web application does not
+      contain any known vulnerabilities, it is known to contain features
+      (particularly the cookie examples that display the contents of all
+      received and allow new cookies to be set) that may be used by an attacker
+      in conjunction with a vulnerability in another application deployed on the
+      Tomcat instance to obtain additional information that would otherwise be
+      unavailable.</p>
+    </subsection>
+
+    <subsection name="Manager">
+      <p>The Manager application allows the remote deployment of web
+      applications and is frequently targeted by attackers due to the widespread
+      use of weak passwords and publicly accessible Tomcat instances with the
+      Manager application enabled. The Manager application is not accessible by
+      default as no users are configured with the necessary access. If the
+      Manager application is enabled then guidance in the section
+      <strong>Securing Management Applications</strong> section should be
+      followed.</p>
+    </subsection>
+
+    <subsection name="Host Manager">
+      <p>The Host Manager application allows the creation and management of
+      virtual hosts - including the enabling of the Manager application for a
+      virtual host. The Host Manager application is not accessible by default a
+      no users are configured with the necessary access. If the Manager
+      application is enabled then guidance in the section <strong>Securing
+      Management Applications</strong> section should be followed.</p>
+    </subsection>
+
+   <subsection name="Securing Management Applications">
+     <p>When deploying a web application that provides management functions for
+     the Tomcat instance, the following guidelines should be followed:</p>
+     <ul>
+       <ol>Ensure that any users permitted to access the management application
+           have strong passwords.</ol>
+       <ol>Do not remove the use of the <a
+           href="config/realm.html#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm">LockOutRealm</a>
+           which prevents brute force attacks against user passwords.</ol>
+       <ol>Uncomment the <a href="config/valve.html#Remote_Address_Filter">RemoteAddrValve</a>
+           in <code>/META-INF/context.xml</code> which limits access to
+           localhost. If remote access is required, limit it to specific IP
+           addresses using this valve.</ol>
+     </ul>
+   </subsection>
   </section>
 
   <section name="Security manager">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org