Vulnerabilities/

Apache Tomcat Manager Login Found

Severity:
Medium

Description

By default, the Tomcat Manager application should only be accessible from a browser running on the same machine as Tomcat. However, if the Manager login page is accessible over the internet, attackers can exploit this to launch password guessing and brute force attacks, potentially gaining unauthorized access to the server.

Recommendation

Update the webapps/manager/META-INF/context.xml file to allow white listed IP addresses. Below example allows local machine IPs starting with 127.

<Context antiResourceLocking="false" privileged="true" >
  
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

References

Related Issues

Tags:
Tomcat
Brute Force
Access Control
Authentication
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download