David Tyler wrote: > Given the widespread and increasing nature of this exploit, I think it would > be prudent of the tomcat devs to alter the default installation to disable > the tomcat manager by default or otherwise somehow require a non-default > password to be set. True, this is not a bug of Tomcat, but it would help > protect users if the default behavior prevented the inadvertent opening of > this backdoor entry point.
You appear to be mis-informed. There is no default Tomcat password. The Tomcat binary distributions are already constructed as you are suggesting and have been that way for as long as I can remember. With the zip/tar install, the user has to manually edit tomcat-users.xml. The user must also add the manager role to one of the users. In 6.0.x the user must also create a user as none are defined by default. None of the default users is named admin. With the Windows installer, an admin user is created but there is no default password. The user must specify their own. I am extremely interested to find out where you obtained your Tomcat installations from as it could not have been an official Apache distribution. Please let us know where you sourced them from so we can warn the Tomcat user community to avoid them. Kind regards, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
