|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Jakarta-tomcat.../admin
From: Scott Morris (smorris
GRIDNET.COM)Date: Fri Jul 21 2000 - 08:47:00 CDT
- Next message: Bongard, Dominique: "(New ?) Macro security hole in Word 97"
- Previous message: Alan DeKok: "StackGuard with ... Re: [Paper] Format bugs."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Summary:
Jakarta Tomcat contains a security bug that can compromise UNIX servers
running Tomcat as root.
Tomcat can be used together with the Apache web server or a stand alone
server for Java Servlets as well as Java Servlet Pages.
Problem:
The defaullt intall of Tomcat contains a mounted contest ( /admin ) that
contains servlets that can be used to add, delete, or view context
information about the Tomcat Server. Under UNIX, the root directory can bee
added as a context, and if the server is running as root, all files on the
system can be viewed over the web.
Possible Solution:
1) Do not run the Tomcat server as root
2) Restrict access to the /admin context or remove it completely.
Scott Morris
UNIX Admin
Gridnet International
Key Fingerprint: 814E 7771 6EA9 6C94 B1C9 09C6 D86E 755E A0A9 1B67
- Next message: Bongard, Dominique: "(New ?) Macro security hole in Word 97"
- Previous message: Alan DeKok: "StackGuard with ... Re: [Paper] Format bugs."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]