TUCoPS :: Web :: Apps :: tomcat4.htm

Jakarta Tomcat retrieve arbitrary files
Vulnerability

    tomcat

Affected

    Jakarta-tomcat

Description

    Scott Morris found following.  Jakarta Tomcat contains a  security
    bug  that  can  compromise  UNIX  servers  running Tomcat as root.
    Tomcat can be used together with the Apache web server or a  stand
    alone server for Java Servlets as well as Java Servlet Pages.

    The defaullt intall of Tomcat contains a mounted contest  (/admin)
    that contains servlets  that can be  used to add,  delete, or view
    context information about the Tomcat Server.  Under UNIX, the root
    directory can bee added as a context, and if the server is running
    as root, all files on the system can be viewed over the web.

Solution

    Possible solution:

        1) Do not run the Tomcat server as root
        2) Restrict  access  to  the  /admin  context  or  remove   it
           completely

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH