[
https://issues.apache.org/jira/browse/PLUTO-782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460849#comment-17460849
]
Neil Griffin edited comment on PLUTO-782 at 12/16/21, 4:29 PM:
---------------------------------------------------------------
@[~snyff]: Thank you for reporting this issue. Please see commit
[4c80c6b051343c5c2cb7a34230f125d21a7901b7|https://github.com/apache/portals-pluto/commit/4c80c6b051343c5c2cb7a34230f125d21a7901b7]
for the fix, which will appear in the 3.1.1 release of Apache Pluto.
The solution was to comment-out the default "tomcat" and "pluto" logins as they
currently are, and replace them with a "pluto" login that does not have the
Tomcat "manager-gui" role.
For example:
{code:xml|title=tomcat-users.xml}
<tomcat-users xmlns="http://tomcat.apache.org/xml";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://tomcat.apache.org/xml
tomcat-users.xsd"
version="1.0">
<!--
<user name="tomcat" password="tomcat"
roles="tomcat,pluto,manager-gui" />
<user name="pluto" password="pluto" roles="pluto,manager-gui,tckuser" />
-->
<user name="pluto" password="pluto" roles="pluto,tckuser" />
</tomcat-users>
{code}
was (Author: ngriffin7a):
@[~snyff]: Thank you for reporting this issue. Please see commit
[4c80c6b051343c5c2cb7a34230f125d21a7901b7|https://github.com/apache/portals-pluto/commit/4c80c6b051343c5c2cb7a34230f125d21a7901b7]
for the fix, which will appear in the 3.1.2 release of Apache Pluto.
The solution was to comment-out the default "tomcat" and "pluto" logins as they
currently are, and replace them with a "pluto" login that does not have the
Tomcat "manager-gui" role.
For example:
{code:xml|title=tomcat-users.xml}
<tomcat-users xmlns="http://tomcat.apache.org/xml";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://tomcat.apache.org/xml
tomcat-users.xsd"
version="1.0">
<!--
<user name="tomcat" password="tomcat"
roles="tomcat,pluto,manager-gui" />
<user name="pluto" password="pluto" roles="pluto,manager-gui,tckuser" />
-->
<user name="pluto" password="pluto" roles="pluto,tckuser" />
</tomcat-users>
{code}
> Default "tomcat" and "pluto" users are granted "manager-gui" role
> -----------------------------------------------------------------
>
> Key: PLUTO-782
> URL: https://issues.apache.org/jira/browse/PLUTO-782
> Project: Pluto
> Issue Type: Bug
> Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.0.0, 3.0.1, 3.1.0
> Reporter: Louis
> Assignee: Neil Griffin
> Priority: Critical
> Fix For: 3.1.1
>
>
> Hi,
> I just downloaded your software and saw that the passwords used to protect
> the local tomcat users are very predictable. It would be better to disable
> those accounts as they basically allow anyone to get command execution on the
> underlying server.
>
> People in charge can then add those accounts based on their requirements.
> Regards,
> Louis
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
