Date: Fri, 21 Jul 2000 09:47:00 -0400 From: Scott Morris <smorris@GRIDNET.COM> Subject: Jakarta-tomcat.../admin To: BUGTRAQ@SECURITYFOCUS.COM Summary: Jakarta Tomcat contains a security bug that can compromise UNIX servers running Tomcat as root. Tomcat can be used together with the Apache web server or a stand alone server for Java Servlets as well as Java Servlet Pages. Problem: The defaullt intall of Tomcat contains a mounted contest ( /admin ) that contains servlets that can be used to add, delete, or view context information about the Tomcat Server. Under UNIX, the root directory can bee added as a context, and if the server is running as root, all files on the system can be viewed over the web. Possible Solution: 1) Do not run the Tomcat server as root 2) Restrict access to the /admin context or remove it completely. Scott Morris UNIX Admin Gridnet International Key Fingerprint: 814E 7771 6EA9 6C94 B1C9 09C6 D86E 755E A0A9 1B67