tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ragini <raginippa...@gmail.com>
Subject Re: Vulnerability or a valid behavior of tomcat ?
Date Fri, 21 Sep 2012 11:39:48 GMT
On 09/21/2012 12:46 PM, Mark Thomas wrote:
> On 21/09/2012 11:23, Ragini wrote:
>> I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually
>> deleted the file1.txt from home directory. So I guess I have succeded to
>> exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or
>> alteration on deploy* " vulnerability.
> You guess wrong.
>
>> So my question is:
>>
>> 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I
>> could do this with tomcat 7.0.28 also. I checked for tomcat 7
>> vulnerability and I could not find this (*Arbitrary file deletion and/or
>> alteration on deploy*) in the list on org.apache site.
> That is because Tomcat 7 is not vulnerable to that vulnerability.
>
>> a) the way I have tried to exploit that vulnerability is correct ?
> No, it is not correct.
>
>> or is it something which can be considered normal behaviour ?
> Yes, the behaviour you observe is normal, expected behaviour.
>
>> (attempting to try to delete file from home dir or from web root dir while deploying
>> war file)
> That isn't what you are doing.
>
>> b) Is this vulnerability still exist in tomcat 7.0.28 ?
> No.
>
>> I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also.
> Your thinking is incorrect.
>
>> but I am not sure.* Should this be reported to security team of tomcat ?
> No. Please don't waste our time.
>
> Further, potential security vulnerabilities should not be discussed on a
> public mailing list. They should be reported privately to the security
> team. Fortunately no harm was done in this case since your supposed
> vulnerability was nothing of the sort. As someone claiming to be a
> security researcher you should be aware of that. That makes one question
> your claim to be a security researcher.
>
>> Ultimately I want to make sure that I have succeeded to exploit
>> vulnerability of tomcat. This is part of my research and no intention to
>> harm others. :-)
> You need to re-read the description of CVE-2009-2693 on the Tomcat web
> site [1] and then try and exploit that rather than simply deleting a
> file. Unless you run under a security manager, a JSP is able to delete
> any file the user Tomcat is running under is able to delete.
>
> That fact that you do not understand the above adds further doubt to
> your claim to be a security researcher. Your previous message to this
> list (a security researcher who has not heard of Metasploit?) also casts
> serious doubt on your claims to be a security researcher.
>
> Mark
>
> [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Thanks for pointing out about running tomcat under security manager.  
And as u have mentioned about "research" multiple times let me be clear 
:-) . I am not expert in security research. I am doing my master thesis 
and this is a part of it so I said  "as part of my research work". 
Before this I have not worked with tomcat or any security related 
things. So as a beginner it is obvious not to know about metasploit or 
security manager of tomcat.. ;-) One does not need to be an expert at 
the thing before doing research about it. knowing and learning about it 
is also a part of research..

Regards.

Richa

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message