tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ragini <raginippa...@gmail.com>
Subject Re: Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693
Date Tue, 25 Sep 2012 13:59:13 GMT
On 09/25/2012 03:42 PM, Mark Thomas wrote:
> On 25/09/2012 12:15, Ragini wrote:
>> Hi,
>>
>> I want to try to exploit tomcat vulnerability CVE-2009-2693. From site
>> it says that the affected version are from 6.0.0 to 6.0.20. I could not
>> find any of this on official apache tomcat website. I want to do some
>> tests on that vulnerable versions.
> Hmm. I find it hard to believe you couldn't find the Tomcat 6 download
> pages [1]. (Although judging by the level of competence your e-mails to
> this list to date have demonstrated, I suppose that is a possibility).
>
> The very first section on that page contains the text:
> "This page provides download links for obtaining the latest version of
> Tomcat 6.0.x, as well as links to the archives of older releases."
>
> Did you read that section? Did you not understand that since you want an
> old release you need to look in the archives?
>
> The following section contains a link [2] the archives. From that point
> it should be obvious.
>
>> *Could you please guide me from where I can download the tomcat version
>> which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or
>> alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.*
> I'd suggest you use [3].
Is there a particular reason to use 6.0.20 only ?
>> Basically this is how I plan to exploit that vulnerability:
>>
>> 1) I insert code to create a directory in user's home directory in one
>> of the java class of my web application.
>> 2) I deploy the war file to tomcat's web-apps dir.
>> 3)I start the tomcat with security manager and it should then create a
>> directory in user's home directory.
> That would be a complete waste of time. You'll be testing the security
> manager rather than anything to do with CVE-2009-2693.
>
> Either you have failed to read the description of CVE-2009-2693 [4] or
> your have failed to comprehend it.
     may be I have failed to understand it. could u please explain it 
and give me an idea about how can I exploit it actually ?
> You need to ask yourself whether you have the necessary skills and
> understanding to carry out the research you claim you want to perform.
Well I asked and realized that I should not yet give up ! :-)
>
> Mark
>
> [1] http://tomcat.apache.org/download-60.cgi
> [2] http://archive.apache.org/dist/tomcat/tomcat-6
> [3]
> http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz
> [4] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message