atom feed3 messages in org.apache.tomcat.usersWindows distribution vunerability
FromSent OnAttachments
David NorheimOct 26, 2009 4:10 am 
Tim FunkOct 26, 2009 5:17 am 
Mark ThomasNov 9, 2009 5:54 am 
Subject:Windows distribution vunerability
From:David Norheim (
Date:Oct 26, 2009 4:10:45 am


I would like someone's opinion on the following issue that we have discovered using the windows distribution of Tomcat 6. (tested for Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] )

The documentation for Tomcat 6 states

It would be quite unsafe to ship Tomcat with default settings that allowed anyone on the Internet to execute the Manager application on your server. Therefore, the Manager application is shipped with the requirement that anyone who attempts to use it must authenticate themselves, using a username and password that have the role manager associated with them. Further, there is no username in the default users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned this role. Therefore, access to the Manager application is completely disabled by default.

While installing the zip or tar.gz version of the binary distributions does not open for the manager application, the windows exe version does.

Having downloaded the exe version and started the wizard you get to screen where you are asked to enter Administrator Login username and password. The default settings leaves you with a tomcat-users.xml file that has the manager application enabled. Also there are (as far as I can see) no way to avoid this step in the installation wizard.

The net result is that you end up with an unsafe installation, having this statement in the tomcat-users.xml file

<user name="admin" password="" roles="admin,manager" />

This is as far as I can see related to some of the problems that has occurred in the past, notably [2] and we also had a situation related to this in our installation. As far as I can see there is nothing wrong with the distribution file itself - it seems to be valid in relation to the md5 file so this must have been a design choice.

Could someone please comment on this, and if there are any planned actions related to this.

Best regards, David

[1] [2]

Computas AS Lysaker Torg 45, PO Box 482, N-1327 Lysaker Phone:+47 6783 1000 | Fax:+47 6783 1001