Bug#434762: tomcat5.5: tomcat-users.xml contains sensitive data, yet it is world-readable
Marc Packenius
marc-dated-1167550317.3fbcd4 at zappa.freenet-rz.de
Thu Jul 26 14:26:31 UTC 2007
Package: tomcat5.5
Severity: grave
Tags: security
Justification: user security hole
/var/lib/tomcat5.5/conf/tomcat-users.xml comes with file permissions
644. I consider this a security problem, because it's all too easy to
add the admin or manager roles while forgetting to change the file
permissions to something more restrictive, thus revealing the
authentication data used to manage the Tomcat installation to all local
users.
I suggest the file be chmodded to 600 during installation.
-- System Information:
Debian Release: etch
Architecture: i386 (i686)
More information about the pkg-java-maintainers
mailing list