From users-return-236791-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org  Fri Sep 21 11:40:32 2012
Return-Path: <users-return-236791-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 18331DDB3
	for <apmail-tomcat-users-archive@www.apache.org>; Fri, 21 Sep 2012 11:40:32 +0000 (UTC)
Received: (qmail 24340 invoked by uid 500); 21 Sep 2012 11:40:28 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 24006 invoked by uid 500); 21 Sep 2012 11:40:22 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 23957 invoked by uid 99); 21 Sep 2012 11:40:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2012 11:40:20 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of raginippatel@gmail.com designates 209.85.214.45 as permitted sender)
Received: from [209.85.214.45] (HELO mail-bk0-f45.google.com) (209.85.214.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2012 11:40:11 +0000
Received: by bkcjg9 with SMTP id jg9so1641289bkc.18
        for <users@tomcat.apache.org>; Fri, 21 Sep 2012 04:39:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        bh=uZpbgDLMhqNrn/jgoJMvrBDHF3//dp/xeggbnjvnl5E=;
        b=LwS4e7Ho4CaKmzMuDPhU4wLGm4C5ZmgbCUGtsM4H5wsMfU1SSV129nCGiZF3cR8sFw
         75iUuGH615Z3ppUvYl7dOfByZpFrWucSJOpmq2UjD4r4X5TNFsPGUqpnKSSWCDpqDnGR
         9OqFywF2S+KSLKOKul6uk87MNDduri4uxrcOf7T0EhoKL2K4JVbfJPVj9sACEmkRqUKo
         WN7nOW8G/40Sk7WIQRXavTezMwBQi6JH5NXN+c7sWZo2FPTiq/FB32TapudGSs3wILmF
         kR+rMCdyMm2ZR8t0QWVAy/eUP1/XO5Fkx6pW/AnfeyNtRhaTm3KQCqQZm4wsjlIiTGtr
         BVAA==
Received: by 10.204.145.90 with SMTP id c26mr2068944bkv.34.1348227590857;
        Fri, 21 Sep 2012 04:39:50 -0700 (PDT)
Received: from [130.83.33.121] (cased121.cased.tu-darmstadt.de. [130.83.33.121])
        by mx.google.com with ESMTPS id s26sm6080810bks.13.2012.09.21.04.39.49
        (version=SSLv3 cipher=OTHER);
        Fri, 21 Sep 2012 04:39:50 -0700 (PDT)
Message-ID: <505C5204.9040801@gmail.com>
Date: Fri, 21 Sep 2012 13:39:48 +0200
From: Ragini <raginippatel@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Vulnerability or a valid behavior of tomcat ?
References: <505C400E.6040605@gmail.com> <505C4572.40607@apache.org>
In-Reply-To: <505C4572.40607@apache.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

On 09/21/2012 12:46 PM, Mark Thomas wrote:
> On 21/09/2012 11:23, Ragini wrote:
>> I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually
>> deleted the file1.txt from home directory. So I guess I have succeded to
>> exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or
>> alteration on deploy* " vulnerability.
> You guess wrong.
>
>> So my question is:
>>
>> 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I
>> could do this with tomcat 7.0.28 also. I checked for tomcat 7
>> vulnerability and I could not find this (*Arbitrary file deletion and/or
>> alteration on deploy*) in the list on org.apache site.
> That is because Tomcat 7 is not vulnerable to that vulnerability.
>
>> a) the way I have tried to exploit that vulnerability is correct ?
> No, it is not correct.
>
>> or is it something which can be considered normal behaviour ?
> Yes, the behaviour you observe is normal, expected behaviour.
>
>> (attempting to try to delete file from home dir or from web root dir while deploying
>> war file)
> That isn't what you are doing.
>
>> b) Is this vulnerability still exist in tomcat 7.0.28 ?
> No.
>
>> I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also.
> Your thinking is incorrect.
>
>> but I am not sure.* Should this be reported to security team of tomcat ?
> No. Please don't waste our time.
>
> Further, potential security vulnerabilities should not be discussed on a
> public mailing list. They should be reported privately to the security
> team. Fortunately no harm was done in this case since your supposed
> vulnerability was nothing of the sort. As someone claiming to be a
> security researcher you should be aware of that. That makes one question
> your claim to be a security researcher.
>
>> Ultimately I want to make sure that I have succeeded to exploit
>> vulnerability of tomcat. This is part of my research and no intention to
>> harm others. :-)
> You need to re-read the description of CVE-2009-2693 on the Tomcat web
> site [1] and then try and exploit that rather than simply deleting a
> file. Unless you run under a security manager, a JSP is able to delete
> any file the user Tomcat is running under is able to delete.
>
> That fact that you do not understand the above adds further doubt to
> your claim to be a security researcher. Your previous message to this
> list (a security researcher who has not heard of Metasploit?) also casts
> serious doubt on your claims to be a security researcher.
>
> Mark
>
> [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Thanks for pointing out about running tomcat under security manager.  
And as u have mentioned about "research" multiple times let me be clear 
:-) . I am not expert in security research. I am doing my master thesis 
and this is a part of it so I said  "as part of my research work". 
Before this I have not worked with tomcat or any security related 
things. So as a beginner it is obvious not to know about metasploit or 
security manager of tomcat.. ;-) One does not need to be an expert at 
the thing before doing research about it. knowing and learning about it 
is also a part of research..

Regards.

Richa

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org