To whom it may concern, I'm a security analyst at a company named Praetorian. When doing internal network pentesting it is extremely common to find tomcat instances with manager portals, and users added to the manager role with the credentials on line 35 of this file *http://svn.apache.org/repos/asf/tomcat/trunk/conf/tomcat-users.xml <http://svn.apache.org/repos/asf/tomcat/trunk/conf/tomcat-users.xml>*
This would suggest to me users are simply uncommenting that line and adding the manager role to it. Typically during network assessments that first compromise is the hardest part, and then after the first machine is compromised it is quite easy to move horizontally through out the network (this can be done through SSH keys in a linux environment or pass the hash in a windows environment). As you may be aware, one popular way we compromise that first machine, is to scan the entire network for tomcat servers, and attempt to login with "tomcat/tomcat" credentials. There's even Metasploit modules designed to do just this https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login I was wondering if it might be possible to modify the comment on line 35 to no longer have a hard coded password, but instead have a dynamically generated password or passphrase. Then, when a user installs or first runs tomcat, 3 or 4 random dynamic concatenated words get placed in the password section of the comment block on line 35. This would make it much harder for attackers, because it would prevent users from simply uncommenting the line and adding the manager role to that user. I know it sounds silly to put a random password in a comment block like that, but I think it would go a long way in hardening this common issue. It would also make networks as a whole more secure, because as I mentioned before, the first compromise is often a door to horizontally compromising more machines. Thank you for all of your contributions to the open source community, I apologize if this email is not formatted correctly, I am new to the Apache Way. I would be interested to see what you guys think -Dylan Ayrey
