On 21/09/2012 11:23, Ragini wrote: > I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually > deleted the file1.txt from home directory. So I guess I have succeded to > exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or > alteration on deploy* " vulnerability.
You guess wrong. > So my question is: > > 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I > could do this with tomcat 7.0.28 also. I checked for tomcat 7 > vulnerability and I could not find this (*Arbitrary file deletion and/or > alteration on deploy*) in the list on org.apache site. That is because Tomcat 7 is not vulnerable to that vulnerability. > a) the way I have tried to exploit that vulnerability is correct ? No, it is not correct. > or is it something which can be considered normal behaviour ? Yes, the behaviour you observe is normal, expected behaviour. > (attempting to try to delete file from home dir or from web root dir while > deploying > war file) That isn't what you are doing. > b) Is this vulnerability still exist in tomcat 7.0.28 ? No. > I think so bcoz I could delete file form home dir with tomcat 7.0.28 version > also. Your thinking is incorrect. > but I am not sure.* Should this be reported to security team of tomcat ? No. Please don't waste our time. Further, potential security vulnerabilities should not be discussed on a public mailing list. They should be reported privately to the security team. Fortunately no harm was done in this case since your supposed vulnerability was nothing of the sort. As someone claiming to be a security researcher you should be aware of that. That makes one question your claim to be a security researcher. > Ultimately I want to make sure that I have succeeded to exploit > vulnerability of tomcat. This is part of my research and no intention to > harm others. :-) You need to re-read the description of CVE-2009-2693 on the Tomcat web site [1] and then try and exploit that rather than simply deleting a file. Unless you run under a security manager, a JSP is able to delete any file the user Tomcat is running under is able to delete. That fact that you do not understand the above adds further doubt to your claim to be a security researcher. Your previous message to this list (a security researcher who has not heard of Metasploit?) also casts serious doubt on your claims to be a security researcher. Mark [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
