[ https://issues.apache.org/jira/browse/PLUTO-782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460849#comment-17460849 ]
Neil Griffin edited comment on PLUTO-782 at 12/16/21, 4:29 PM: --------------------------------------------------------------- @[~snyff]: Thank you for reporting this issue. Please see commit [4c80c6b051343c5c2cb7a34230f125d21a7901b7|https://github.com/apache/portals-pluto/commit/4c80c6b051343c5c2cb7a34230f125d21a7901b7] for the fix, which will appear in the 3.1.1 release of Apache Pluto. The solution was to comment-out the default "tomcat" and "pluto" logins as they currently are, and replace them with a "pluto" login that does not have the Tomcat "manager-gui" role. For example: {code:xml|title=tomcat-users.xml} <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <!-- <user name="tomcat" password="tomcat" roles="tomcat,pluto,manager-gui" /> <user name="pluto" password="pluto" roles="pluto,manager-gui,tckuser" /> --> <user name="pluto" password="pluto" roles="pluto,tckuser" /> </tomcat-users> {code} was (Author: ngriffin7a): @[~snyff]: Thank you for reporting this issue. Please see commit [4c80c6b051343c5c2cb7a34230f125d21a7901b7|https://github.com/apache/portals-pluto/commit/4c80c6b051343c5c2cb7a34230f125d21a7901b7] for the fix, which will appear in the 3.1.2 release of Apache Pluto. The solution was to comment-out the default "tomcat" and "pluto" logins as they currently are, and replace them with a "pluto" login that does not have the Tomcat "manager-gui" role. For example: {code:xml|title=tomcat-users.xml} <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <!-- <user name="tomcat" password="tomcat" roles="tomcat,pluto,manager-gui" /> <user name="pluto" password="pluto" roles="pluto,manager-gui,tckuser" /> --> <user name="pluto" password="pluto" roles="pluto,tckuser" /> </tomcat-users> {code} > Default "tomcat" and "pluto" users are granted "manager-gui" role > ----------------------------------------------------------------- > > Key: PLUTO-782 > URL: https://issues.apache.org/jira/browse/PLUTO-782 > Project: Pluto > Issue Type: Bug > Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.0.0, 3.0.1, 3.1.0 > Reporter: Louis > Assignee: Neil Griffin > Priority: Critical > Fix For: 3.1.1 > > > Hi, > I just downloaded your software and saw that the passwords used to protect > the local tomcat users are very predictable. It would be better to disable > those accounts as they basically allow anyone to get command execution on the > underlying server. > > People in charge can then add those accounts based on their requirements. > Regards, > Louis -- This message was sent by Atlassian Jira (v8.20.1#820001)