Tomcat Insecure Installation under Windows

The Windows installer for Tomcat leave the password blank for the administrative user of the application, which can result in serious security problem for those who have installed Tomcat under Windows with the installer. Affected versions are 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 and, although they are no longer supported may also be affected.

The ruling is that the Windows intalled leave the password blank and is not changed after the installation process. The admin user is admin and manager roles, which has full powers over Tomcat. Users who have installed Tomcat directly from a zip or tar.gz file are not affected. You can remove the user configuration file tomcat-users.xml after installation to be unaffected by the problem or provide the same file a strong password. This error will be corrected in forthcoming publications 6.0.x, 5.5.x.


Windows distribution vulnerability
http://markmail.org/thread/wfu4nff5chvkb6xp

Apache Tomcat Security Updates
http://tomcat.apache.org/security.html