Tim Funk wrote: > Confirmed. The docs are not in sync with what the installer does. We'll > get this fixed in a future release. > > In future, please report possible security issues privately rather than > publicly. > > -Tim
To complete the thread, this was announced as CVE-2009-3548. Mark > > David Norheim wrote: >> Hi, >> >> I would like someone's opinion on the following issue that we have >> discovered using the windows distribution of Tomcat 6. (tested for >> Tomcat 6.0.14, 6.0.16 and 6.0.20 downloaded from [1] ) >> >> The documentation for Tomcat 6 states >> >>> It would be quite unsafe to ship Tomcat with default settings that >>> allowed anyone on the Internet to execute the Manager application on >>> your server. Therefore, the Manager application is shipped with the >>> requirement that anyone who attempts to use it must authenticate >>> themselves, using a username and password that have the role manager >>> associated with them. Further, there is no username in the default >>> users file ($CATALINA_BASE/conf/tomcat-users.xml) that is assigned >>> this role. Therefore, access to the Manager application is completely >>> disabled by default. >> >> >> >> While installing the zip or tar.gz version of the binary distributions >> does not open for the manager application, the windows exe version does. >> >> Having downloaded the exe version and started the wizard you get to >> screen where you are asked to enter Administrator Login username and >> password. The default settings leaves you with a tomcat-users.xml file >> that has the manager application enabled. Also there are (as far as I >> can see) no way to avoid this step in the installation wizard. >> >> The net result is that you end up with an unsafe installation, having >> this statement in the tomcat-users.xml file >> >> <user name="admin" password="" roles="admin,manager" /> >> >> This is as far as I can see related to some of the problems that has >> occurred in the past, notably [2] and we also had a situation related >> to this in our installation. As far as I can see there is nothing >> wrong with the distribution file itself - it seems to be valid in >> relation to the md5 file so this must have been a design choice. >> >> Could someone please comment on this, and if there are any planned >> actions related to this. >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org