Open wvu opened 4 years ago
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Removed the stale
label.
Untested, but this is probably a legitimate issue.
Gone are the days of insecure Tomcats running rampant, yet it is still a viable, reliable and useful attack vector, and this module warrants at least the bare minimum of maintenance.
thanks @bcoles I changed it over to a confirmed label which stops it from being closed too
The tomcat_mgr_login
module is fairly old. Presumably the module has not been updated for changes to auth logic in Tomcat 7/8.
I'm not working on this issue, but did test Tomcat 6. The existing module logic matches my expectations. When no Tomcat users are configured, or the manager.xml
file is removed, the Manager application is not started and attempts to access it return a 404 error (not 401).
It's a
401 Unauthorized
in both cases, but you also get aWWW-Authenticate
header in the latter case.Example from
auxiliary/scanner/http/tomcat_mgr_login
:https://github.com/rapid7/metasploit-framework/blob/ef2ed891d411298e3898aa1e3fdfe5014cd96fba/modules/auxiliary/scanner/http/tomcat_mgr_login.rb#L93-L96
Reported via IRC.