You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alexandros Kotsiras <ko...@mediaondemand.com> on 2000/07/21 23:46:14 UTC
!!!!! Security Bug in Tomcat ???
Hello,
I am currently using Tomcat in a production environment and i am very
satisfied with it.
I just received the following email from my company's UNIX admin :
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]
Sent: Friday, July 21, 2000 9:47 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Jakarta-tomcat.../admin
Summary:
Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.
Problem:
The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server. Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.
Possible Solution:
1) Do not run the Tomcat server as root
2) Restrict access to the /admin context or remove it completely.
Since i am not a really an advanced user i would like to see a response from
the Tomcat gurus of the user-group.
BTW I am not running it as root.
Thanks,
Alex.
±°