Apache Tomcat examples directory vulnerabilities

Description

Apache Tomcat default installation contains the "/examples" directory which has many example servlets and JSPs. Some of these examples are a security risk and should not be deployed on a production server.
The Sessions Example servlet (installed at /examples/servlets/servlet/SessionExample) allows session manipulation. Because the session is global this servlet poses a big security risk as an attacker can potentitally become an administrator by manipulating its session.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Impact
Bypassing HttpOnly Cookies protection, CSRF cookies manipulation, Session manipulation.

Recommendation
Disable public access to the examples directory.

References
Tomcat Servlet Examples threats