On Tue, Nov 26, 2013 at 5:53 AM, André Warnier wrote:
> So yes, by any means, have the Manager disabled by default, even when
> subsequently enabled restrict it by default to localhost, ...
+1
On 25 November 2013 23:27, Ognjen Blagojevic
wrote:
> What most users do is to copy the XML example, and paste it into
> tomcat-users.xml.
>
> I propose that 401 page for Manager be dynamically generated, so that
> instead of occurrences of example password "s3cret", it generates random
> passwor
Ognjen Blagojevic wrote:
Chris,
On 25.11.2013 20:56, Christopher Schultz wrote:
What most users do is to copy the XML example, and paste it into
tomcat-users.xml.
If that were the case, I would have expected to see "tomcat:s2cret"
listed in the worm's "obvious creds" list. Since it's
Chris,
On 25.11.2013 20:56, Christopher Schultz wrote:
What most users do is to copy the XML example, and paste it into
tomcat-users.xml.
If that were the case, I would have expected to see "tomcat:s2cret"
listed in the worm's "obvious creds" list. Since it's not there, I
suppose that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ognjen,
On 11/25/13, 7:27 AM, Ognjen Blagojevic wrote:
> Current 401 page for Manager application says something like:
>
> You are not authorized to view this page. If you have not
> changed any configuration files, please examine the file
> c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 11/25/13, 5:08 AM, Mark Thomas wrote:
> Folks that disabled the LockOutRealm in server.xml that protects
> against brute-force password attacks (against any app - not just
> the Manager) should probably be worried.
I had configured my Mana
Mikolaj,
On 25.11.2013 12:46, Mikolaj Rydzewski wrote:
On 25.11.2013 12:42, Ognjen Blagojevic wrote:
I also think it would be very usefull if 401 error page for manager
application does not example password "s3cret", but randomly generated
long password unique for every request. I guess there
On 25.11.2013 12:42, Ognjen Blagojevic wrote:
I also think it would be very usefull if 401 error page for manager
application does not example password "s3cret", but randomly generated
long password unique for every request. I guess there is a number of
Tomcat instances out there with username "
Mark,
On 25.11.2013 11:08, Mark Thomas wrote:
Unrelated to this issue, I have recently expanded the section of the
docs that covers securing the default applications. The updates will be
in the next release. Until then you can read it via the copy of the docs
built by the CI system:
http://ci.ap
>
> The one question this raises for me is should the Manager application be
> limited to localhost be default? I'd be interested in the community's
> views on that.
>
my view: yes
If it is easy configurable (like removing localhost to have all access, but
also adding a host)
Because then people k
On 25/11/2013 08:22, Leon Rosenberg wrote:
> Morning everyone,
>
> what can be greater start in the morning as reading about first tomcat worm
> found by symantec ;-)
>
> http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys
How good your morning will be after reading that ar
Morning everyone,
what can be greater start in the morning as reading about first tomcat worm
found by symantec ;-)
http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys
Enjoy your caffe.
Leon
12 matches
Mail list logo
