Bugtraq has had reports that Tomcat has vulnerabilities that allow remote users to get paths and to compromise root if Tomcat is run as root. Are these true?

Ignacio J. Ortega

Yes, for Tomcat 3.1. No, for Tomcat 3.2 Beta.
But is very easy to secure Tomcat 3.1:

  • Stop Tomcat
  • delete the contents of %TOMCAT_HOME%/work
  • Delete the file: admin.war from %TOMCAT_HOME%/webapps
  • Delete de directory %TOMCAT_HOME%/webapps/admin
  • Start tomcat