tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Vulnerability or a valid behavior of tomcat ?
Date Fri, 21 Sep 2012 10:46:10 GMT
On 21/09/2012 11:23, Ragini wrote:
> I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually
> deleted the file1.txt from home directory. So I guess I have succeded to
> exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or
> alteration on deploy* " vulnerability.

You guess wrong.

> So my question is:
> 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I
> could do this with tomcat 7.0.28 also. I checked for tomcat 7
> vulnerability and I could not find this (*Arbitrary file deletion and/or
> alteration on deploy*) in the list on org.apache site.

That is because Tomcat 7 is not vulnerable to that vulnerability.

> a) the way I have tried to exploit that vulnerability is correct ?

No, it is not correct.

> or is it something which can be considered normal behaviour ?

Yes, the behaviour you observe is normal, expected behaviour.

> (attempting to try to delete file from home dir or from web root dir while deploying
> war file)

That isn't what you are doing.

> b) Is this vulnerability still exist in tomcat 7.0.28 ?


> I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also.

Your thinking is incorrect.

> but I am not sure.* Should this be reported to security team of tomcat ?

No. Please don't waste our time.

Further, potential security vulnerabilities should not be discussed on a
public mailing list. They should be reported privately to the security
team. Fortunately no harm was done in this case since your supposed
vulnerability was nothing of the sort. As someone claiming to be a
security researcher you should be aware of that. That makes one question
your claim to be a security researcher.

> Ultimately I want to make sure that I have succeeded to exploit
> vulnerability of tomcat. This is part of my research and no intention to
> harm others. :-)

You need to re-read the description of CVE-2009-2693 on the Tomcat web
site [1] and then try and exploit that rather than simply deleting a
file. Unless you run under a security manager, a JSP is able to delete
any file the user Tomcat is running under is able to delete.

That fact that you do not understand the above adds further doubt to
your claim to be a security researcher. Your previous message to this
list (a security researcher who has not heard of Metasploit?) also casts
serious doubt on your claims to be a security researcher.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message