If the apps are visible, an attacker with your manager password can replace one of your trusted apps/deploy their own app which can do anything allowed by your security policy and the permissions of the user under which the tomcat process runs. Assuming they can then escalate their access via some other vulnerability, getting root access is also possible.
Things you can do to mitigate this risk
- configure a remote address filter for all admin sensitive apps (admin, manager + any of your own)
- configure a security manager
and then test your configuration to make sure it does what you think it does.
Depending on your OS there may be other things you can do to isolate the tomcat process from the rest of the box.
Mark
Lorenzo Jiménez wrote:
Hi,
If someone in the net, found out, by any reason, our admin or manager user and password, what resources he can get besides turn on/off the apps, looking tomcat-users.xml?
Can he/she get info on the application context.xml like database user and passwords? Can he/she deploy an exe or script for converting a server in a zombie? Change the server init scripts? Change the root password?
Thanks very much,
Lorenzo Jimenez
-------------------------------------------------------------
Si usted no es el destinatario indicado en este mensaje o responsable como persona de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor notifique al correo [EMAIL PROTECTED] Para más referencia sobre términos importantes relacionados a este correo visite http://www.nacion.com/disclaimer/index_es2.htm
If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or send this message to anyone, please notify
to [EMAIL PROTECTED] Click here for important additional terms relating to this e-mail. <http://www.nacion.com/disclaimer/index_en2.htm>
-------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
