Thanks Mark, your input is much appreciated. Lorenzo
-----Original Message----- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Mi�rcoles, 13 de Abril de 2005 02:42 p.m. To: Tomcat Users List Subject: Re: Information on a hacked tomcat 5 It depends if these apps are visible to the internet. You can use a remote address filter (actually a valve not a filter in the servlet API sense of the word) to limit their accessibility. If the apps are visible, an attacker with your manager password can replace one of your trusted apps/deploy their own app which can do anything allowed by your security policy and the permissions of the user under which the tomcat process runs. Assuming they can then escalate their access via some other vulnerability, getting root access is also possible. Things you can do to mitigate this risk - configure a remote address filter for all admin sensitive apps (admin, manager + any of your own) - configure a security manager and then test your configuration to make sure it does what you think it does. Depending on your OS there may be other things you can do to isolate the tomcat process from the rest of the box. Mark Lorenzo Jim�nez wrote: > Hi, > > If someone in the net, found out, by any reason, our admin or manager user > and password, what resources he can get besides turn on/off the apps, looking > tomcat-users.xml? > > Can he/she get info on the application context.xml like database user and > passwords? > Can he/she deploy an exe or script for converting a server in a zombie? > Change the server init scripts? > Change the root password? > > Thanks very much, > > Lorenzo Jimenez > > > > > > > > ------------------------------------------------------------- > > Si usted no es el destinatario indicado en este mensaje o responsable como > persona > de la entrega del mensaje, no debe copiar o reenviar este mensaje, por favor > notifique > al correo [EMAIL PROTECTED] Para m�s referencia sobre t�rminos importantes > relacionados a este correo visite > http://www.nacion.com/disclaimer/index_es2.htm > > If you are not the addressee indicated in this message (or responsible for > delivery of the > message to such person), you may not copy or send this message to anyone, > please notify > to [EMAIL PROTECTED] Click here for important additional terms relating to > this e-mail. > <http://www.nacion.com/disclaimer/index_en2.htm> > > ------------------------------------------------------------- > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
