Apache Tomcat Manager Login Found
Impact: Medium
Description
By default the Manager should be only accessible from a browser running on the same machine as Tomcat. With a Apache Tomcat Login accessible over the internet, attackers can use Password guessing and Brute Force methods to break into you server.
Recommendation
Update the webapps/manager/META-INF/context.xml
file to allow white listed IP addresses. Below example allows local machine IPs starting with 127.
<Context antiResourceLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
References
👉 You might also like:
WordPress Login Page Found - Vulnerability
Unreferenced Login Page Found - Vulnerability
Test Apache Tomcat and Apache Struts Vulnerabilities with SmartScanner 1-14
5 Security Vulnerabilities You Can Fix Right Now
Last updated on June 06, 2022