Tomcat modules do not distinguish between the Manager being disabled vs. enabled with auth

[wvu]

It's a 401 Unauthorized in both cases, but you also get a WWW-Authenticate header in the latter case.

Example from auxiliary/scanner/http/tomcat_mgr_login:

https://github.com/rapid7/metasploit-framework/blob/ef2ed891d411298e3898aa1e3fdfe5014cd96fba/modules/auxiliary/scanner/http/tomcat_mgr_login.rb#L93-L96

Reported via IRC.

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[bcoles]

Removed the stale label.

Untested, but this is probably a legitimate issue.

Gone are the days of insecure Tomcats running rampant, yet it is still a viable, reliable and useful attack vector, and this module warrants at least the bare minimum of maintenance.

[dwelch-r7]

thanks @bcoles I changed it over to a confirmed label which stops it from being closed too

[bcoles]

The tomcat_mgr_login module is fairly old. Presumably the module has not been updated for changes to auth logic in Tomcat 7/8.

I'm not working on this issue, but did test Tomcat 6. The existing module logic matches my expectations. When no Tomcat users are configured, or the manager.xml file is removed, the Manager application is not started and attempts to access it return a 404 error (not 401).