SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat Windows Installer Creates Default Blank Administrative Password
SecurityTracker Alert ID:  1023146
SecurityTracker URL:  http://securitytracker.com/id/1023146
CVE Reference:   CVE-2009-3548   (Links to External Site)
Date:  Nov 9 2009
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5.0 to 5.5.28, 6.0.0 to 6.0.20; prior versions may also be affected.
Description:   A vulnerability was reported in Tomcat. A remote user can gain administrative access to the target application.

The Windows installer creates a blank password by default for the administrative user. If the password is not changed during installation, a remote user can gain access to the account.

David Horheim reported this vulnerability.

Impact:   A remote user can gain administrative access to the target application in certain cases.
Solution:   The vendor has issued a source code fix.
Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 18 2010 (HP Issues Fix for HP-UX) Tomcat Windows Installer Creates Default Blank Administrative Password
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.



 Source Message Contents

Subject:  [SECURITY] CVE-2009-3548 Apache Tomcat Windows Installer insecure default administrative password

CVE-2009-3548: Apache Tomcat Windows Installer insecure default
administrative password

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20

The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also
affected.

Description:
The Windows installer defaults to a blank password for the
administrative user. If this is not changed during the install process,
then by default a user is created with the name admin, roles admin and
manager and a blank password.

Mitigation:
Users of all Tomcat versions may mitigate this issue by one of the
following methods:
- Using the .zip or .tar.gz distributions
- Specifying a strong password for the admin user when using the
  Windows installer
- Removing the admin user from the tomcat-users.xml file after the
  Windows installer has completed
- Editing the tomcat-users.xml file to provide the admin user with
  a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be
included in the next releases of 6.0.x and 5.5.x

Credit:
This issue was reported directly [2] to the tomcat users public mailing
list by David Horheim.
Security researchers are reminded that undisclosed vulnerabilities in
Apache Tomcat should, in the first instance, be reported to the private
security mailing list. [3]

References:
[1] http://svn.apache.org/viewvc?view=revision&revision=834047
[2] http://markmail.org/thread/wfu4nff5chvkb6xp
[3] http://tomcat.apache.org/security.html

Mark Thomas


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC