Apache Tomcat examples directory vulnerabilities
Description
Apache Tomcat's default installation includes an /examples directory containing demonstration servlets and JSP files intended for learning purposes. These examples should never be deployed in production environments as they introduce significant security vulnerabilities. Specifically, the Sessions Example servlet (located at /examples/servlets/servlet/SessionExample) allows unauthorized users to view and manipulate session data. Since session attributes are globally accessible through this servlet, attackers can modify session variables to escalate privileges or impersonate other users, including administrators.
Remediation
Remove or restrict access to the examples directory in production environments using one of the following methods:
Option 1 - Delete the examples directory (Recommended):
Remove the examples web application entirely from your Tomcat installation:
rm -rf $CATALINA_HOME/webapps/examples
Option 2 - Restrict access via security constraint:
If you must retain the examples for internal use, add a security constraint to $CATALINA_HOME/webapps/examples/WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Examples</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>Option 3 - Block at network level:
Configure your web server or firewall to deny external access to /examples/* paths, allowing access only from trusted internal IP addresses.
After implementing any of these solutions, restart Tomcat and verify that the examples directory is no longer publicly accessible.