HTTP Plain Text Basic Authentication; not disabling AutoComplete, Apache Tomcat OM Web Viewer 12.1
book
Article ID: 135334
calendar_today
Updated On:
Products
Output Management Web Viewer
Issue/Introduction
A vulnerability scan found these three problems with Apache Tomcat® running with OM Web Viewer 12.1
Security Finding #1 (port 8443) AutoComplete Attribute Not Disabled for Password in Form Based Authentication [ port 8443] GET /examples/jsp/security/protected/ HTTP/1.1
Security Finding #2 [ port 15100] Web Server Uses Plain Text Basic Authentication GET /manager/status HTTP/1.1
Security Finding #3 [ Port 8080]AutoComplete Attribute Not Disabled for Password in Form Based Authentication GET /examples/jsp/security/protected/ HTTP/1.1
Environment
Apache Tomcat®
Output Management Web Viewer 12.1
Cause
Security Findings 1 & 3 vulnerabilities are in the Tomcat supplied "examples" application.
Security Finding #3 is caused from the Tomcat supplied "manager "application that has been configured for use.
Resolution
Security Finding #1 (port 8443) may be resolved by undeploying the examples application. The examples application is not utilized by OM Web Viewer 12.1.
Security Finding #2 [ port 15100] may be resolved by undeploying the Tomcat Manager, which was set up for use with a userid and password while troubleshooting a problem.
Security Finding #3 (Port 8080) may also be resolved by undeploying the examples application. The examples application is not utilized by OM Web Viewer 12.1.