tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ragini <>
Subject Re: Vulnerability or a valid behavior of tomcat ?
Date Fri, 21 Sep 2012 11:39:48 GMT
On 09/21/2012 12:46 PM, Mark Thomas wrote:
> On 21/09/2012 11:23, Ragini wrote:
>> I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually
>> deleted the file1.txt from home directory. So I guess I have succeded to
>> exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or
>> alteration on deploy* " vulnerability.
> You guess wrong.
>> So my question is:
>> 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I
>> could do this with tomcat 7.0.28 also. I checked for tomcat 7
>> vulnerability and I could not find this (*Arbitrary file deletion and/or
>> alteration on deploy*) in the list on org.apache site.
> That is because Tomcat 7 is not vulnerable to that vulnerability.
>> a) the way I have tried to exploit that vulnerability is correct ?
> No, it is not correct.
>> or is it something which can be considered normal behaviour ?
> Yes, the behaviour you observe is normal, expected behaviour.
>> (attempting to try to delete file from home dir or from web root dir while deploying
>> war file)
> That isn't what you are doing.
>> b) Is this vulnerability still exist in tomcat 7.0.28 ?
> No.
>> I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also.
> Your thinking is incorrect.
>> but I am not sure.* Should this be reported to security team of tomcat ?
> No. Please don't waste our time.
> Further, potential security vulnerabilities should not be discussed on a
> public mailing list. They should be reported privately to the security
> team. Fortunately no harm was done in this case since your supposed
> vulnerability was nothing of the sort. As someone claiming to be a
> security researcher you should be aware of that. That makes one question
> your claim to be a security researcher.
>> Ultimately I want to make sure that I have succeeded to exploit
>> vulnerability of tomcat. This is part of my research and no intention to
>> harm others. :-)
> You need to re-read the description of CVE-2009-2693 on the Tomcat web
> site [1] and then try and exploit that rather than simply deleting a
> file. Unless you run under a security manager, a JSP is able to delete
> any file the user Tomcat is running under is able to delete.
> That fact that you do not understand the above adds further doubt to
> your claim to be a security researcher. Your previous message to this
> list (a security researcher who has not heard of Metasploit?) also casts
> serious doubt on your claims to be a security researcher.
> Mark
> [1]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
Thanks for pointing out about running tomcat under security manager.  
And as u have mentioned about "research" multiple times let me be clear 
:-) . I am not expert in security research. I am doing my master thesis 
and this is a part of it so I said  "as part of my research work". 
Before this I have not worked with tomcat or any security related 
things. So as a beginner it is obvious not to know about metasploit or 
security manager of tomcat.. ;-) One does not need to be an expert at 
the thing before doing research about it. knowing and learning about it 
is also a part of research..



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message