Tomcat admin default credentials script is not working anymore

I think the script /var/lib/openvas/plugins/2015/sw_tomcat_admin_default_credentials.nasl is outdated. It uses admin path which is not available anymore. I see some example of fix which use basic authentication to access manager app instead of using j_security_check with JSESSIONID, like

Do you have any plan to update this script?


welcome to this community and thanks for your posting.

Could you please share some more details on your observations:

  1. How did you determine that the mentioned VT doesn’t work anymore?
  2. Was Tomcat detected at all (There should be a “log” entry about a detection in your report and all Tomcat VTs relies on a previous detection of Tomcat)
  3. What version of Tomcat is installed?

Unfortunately this seems to be some kind of misunderstanding. There are currently two VTs available in the Feeds:

  1. 2012/gb_tomcat_default_credentials.nasl

    This one is the one from your link which is covering older Tomcat installations with a basic authentication check

  2. 2015/sw_tomcat_admin_default_credentials.nasl

    This is the newer one using j_security_check with a JSESSIONID

Both are targeting different Tomcat versions with a different kind of check.

1 Like

Sorry for confusing in explaining the issue I am facing. It was nothing to do with version. I tested with different version of tomcat including tomcat 6, 7, 9(latest). What I discover was that
2012/gb_tomcat_default_credentials.nasl worked, but 2015/sw_tomcat_admin_default_credentials.nasl didn’t. It seems to be failing with
req = http_get( item:"/admin/", port:port );
res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
cookie = eregmatch( pattern:“JSESSIONID=([0-9A-Z]+);”, string:res );
if( isnull( cookie[1] ) )
exit( 0 );
because the tomcat returns with 404 error. I think the issue is that it is trying to access /admin instead of /manager

Thanks for confirming. So this means that there are no action required and everything works as expected.

Just to summarize:

  • 2012/gb_tomcat_default_credentials.nasl: This is covering Apache Tomcat 6.x up to the latest (IIRC even 5.x is covered) which have the /manager/ endpoint for the admin backend
  • 2015/sw_tomcat_admin_default_credentials.nasl: This is covering older Apache Tomcat versions (IIRC Tomcat 4.x and below) which have a different /admin endpoint for the admin backend

So as you can see both VTs are targeting different Apache Tomcat versions having different admin backend URLs.

1 Like

Ok. So, I was confused with the year directories (2012 vs 2015). I thought 2015/sw_tomcat_admin_default_credentials.nasl should cover newer version of tomcat. Looks like it is not the case.
If your summarization of each nasl file’s purpose is what is expected, yes, you are right. There is no action required and everything works as expected.
Thank you so much for your kind explanation and follow up