tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ragini <>
Subject Vulnerability or a valid behavior of tomcat ?
Date Fri, 21 Sep 2012 10:23:10 GMT
Hi all,

I wanted to exploit tomcat vulnerability CVE-2009-2693 named "*Arbitrary 
file deletion and/or alteration on deploy* ". You can have a look on it 
here. (
Here they say the affected versions are "Affects: 6.0.0-6.0.20".

I wanted to give it a try. So I downloaded a web application insecure 
(insecure web application from OWASP). This application has some jsp 
files and some java files. So in one of the java file 
(, I added following code which 
deletes file named file1.txt from home directory. Pl note that I use 
ubuntu and I created file1.txt in home directory.

The code looks like below:

public void deletefile()

             File file = new File("../../file1.txt"); // this deletes 
file1.txt from home dir

                 System.out.println(file.getName() + " is deleted!");

                 System.out.println("Delete operation is failed.");

         }catch(Exception e){



I compiled the file( and I replaced 
the default DatasourceConnectionprovider.class with the changed 
DatasourceConnectionprovider.class. So in short I deploy a war file in 
tomcat which deletes the file1.txt from home directory.

I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually 
deleted the file1.txt from home directory. So I guess I have succeded to 
exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or 
alteration on deploy* " vulnerability.

So my question is:

1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I 
could do this with tomcat 7.0.28 also. I checked for tomcat 7 
vulnerability and I could not find this (*Arbitrary file deletion and/or 
alteration on deploy*) in the list on org.apache site.

*a) the way I have tried to exploit that vulnerability is correct ? or 
is it something which can be considered normal behaviour ? (attempting 
to try to delete file from home dir or from web root dir while deploying 
war file)**
**b) Is this vulnerability still exist in tomcat 7.0.28 ? I think so 
bcoz I could delete file form home dir with tomcat 7.0.28 version also. 
but I am not sure.* Should this be reported to security team of tomcat ?

Ultimately I want to make sure that I have succeeded to exploit 
vulnerability of tomcat. This is part of my research and no intention to 
harm others. :-)



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message