Tomcat admin default credentials script is not working anymore

I think the script /var/lib/openvas/plugins/2015/sw_tomcat_admin_default_credentials.nasl is outdated. It uses admin path which is not available anymore. I see some example of fix which use basic authentication to access manager app instead of using j_security_check with JSESSIONID, like


Do you have any plan to update this script?

Hello,

welcome to this community and thanks for your posting.

Could you please share some more details on your observations:

  1. How did you determine that the mentioned VT doesn’t work anymore?
  2. Was Tomcat detected at all (There should be a “log” entry about a detection in your report and all Tomcat VTs relies on a previous detection of Tomcat)
  3. What version of Tomcat is installed?

Unfortunately this seems to be some kind of misunderstanding. There are currently two VTs available in the Feeds:

  1. 2012/gb_tomcat_default_credentials.nasl

    This one is the one from your link which is covering older Tomcat installations with a basic authentication check

  2. 2015/sw_tomcat_admin_default_credentials.nasl

    This is the newer one using j_security_check with a JSESSIONID

Both are targeting different Tomcat versions with a different kind of check.

Sorry for confusing in explaining the issue I am facing. It was nothing to do with version. I tested with different version of tomcat including tomcat 6, 7, 9(latest). What I discover was that
2012/gb_tomcat_default_credentials.nasl worked, but 2015/sw_tomcat_admin_default_credentials.nasl didn’t. It seems to be failing with
req = http_get( item:"/admin/", port:port );
res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
cookie = eregmatch( pattern:“JSESSIONID=([0-9A-Z]+);”, string:res );
if( isnull( cookie[1] ) )
exit( 0 );
because the tomcat returns with 404 error. I think the issue is that it is trying to access /admin instead of /manager