Apache Tomcat Manager Login Found
Impact: Medium
Description
By default, the Tomcat Manager application should only be accessible from a browser running on the same machine as Tomcat. However, if the Manager login page is accessible over the internet, attackers can exploit this to launch password guessing and brute force attacks, potentially gaining unauthorized access to the server.
Recommendation
Update the webapps/manager/META-INF/context.xml
file to allow white listed IP addresses. Below example allows local machine IPs starting with 127.
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
References
👉 You might also like:
WordPress Login Page Found - Vulnerability
Brute Force Prevention Bypassed - Vulnerability
Weak Password - Vulnerability
User Enumeration - Vulnerability
Last updated on May 13, 2024