Metasploit-framework: Tomcat modules do not distinguish between the Manager being disabled vs. enabled with auth
It's a 401 Unauthorized in both cases, but you also get a WWW-Authenticate header in the latter case.
Example from auxiliary/scanner/http/tomcat_mgr_login:
Reported via IRC.
wvu-r7
All 3 comments
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It鈥檚 been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 17 Oct 2020
Removed the stale label.
Untested, but this is probably a legitimate issue.
Gone are the days of insecure Tomcats running rampant, yet it is still a viable, reliable and useful attack vector, and this module warrants at least the bare minimum of maintenance.
bcoles
on 17 Oct 2020
thanks @bcoles I changed it over to a confirmed label which stops it from being closed too
dwelch-r7
on 19 Oct 2020
Related issues
Sonya2010
路
3Comments
ejholmes
路
3Comments
idetest41
路
3Comments
BaconBombz
路
3Comments
miholtz
路
3Comments