Ognjen Blagojevic wrote:
Chris,
On 25.11.2013 20:56, Christopher Schultz wrote:
<role rolename="manager-gui"/> <user username="tomcat"
password="s3cret" roles="manager-gui"/> ----
What most users do is to copy the XML example, and paste it into
tomcat-users.xml.
If that were the case, I would have expected to see "tomcat:s2cret"
listed in the worm's "obvious creds" list. Since it's not there, I
suppose that either it's not used very often in the wild or the
authors are not very smart.
This worm maybe does not, but I found references to that
username/password in wordlists[1], blogs[2,3] and books[4]. For me, that
is a sign that Tomcat should avoid using that particular example password.
-Ognjen
[1]
https://github.com/lattera/metasploit/blob/master/data/wordlists/tomcat_mgr_default_userpass.txt
[2]
http://www.socialseer.com/2013/07/14/watching-the-hackers-try-to-break-into-tomcat/
[3]
http://x9090.blogspot.com/2012/09/a-case-study-of-tomcat-web-server.html
[4]
http://www.amazon.com/Hacking-Exposed-Network-Security-Solutions/dp/0071780289
My company has been distributing an (external) software package for 30 years. In the
standard distributive, there are 3 users defined with 3 standard passwords, to use for the
initial demo and user training. The documentation has a prominent section in capitals and
red color that says that the passwords of these users should be changed, or these users
deleted as soon as the initial testing phase is over.
When I go visit customers however, about 50% of them still have these users enabled with
the original passwords, even at some very security-conscious places.
Users are like that.
So yes, by any means, have the Manager disabled by default, even when subsequently enabled
restrict it by default to localhost, and in the documentation and examples, use some
password that is guaranteed NOT to work and MUST be changed. "******" may be a good way to
suggest that it has to be changed, though I am sure that there will be users trying it
literally.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org