Apache Tomcat insecure default administrative password

  • The Windows installer for Apache Tomcat defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.
  • Users of all Tomcat versions may mitigate this issue by one of the following methods: <br/> <ul> <li> Using the .zip or .tar.gz distributions </li> <li> Specifying a strong password for the admin user when using the Windows installer [l/i] <li> Removing the admin user from the tomcat-users.xml file after the Windows installer has completed </li> <li> Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed </li> </ul> <br/> A patch for this issue [1] has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x