On 09/21/2012 12:46 PM, Mark Thomas wrote:
On 21/09/2012 11:23, Ragini wrote:
I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually
deleted the file1.txt from home directory. So I guess I have succeded to
exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or
alteration on deploy* " vulnerability.
You guess wrong.
So my question is:
1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I
could do this with tomcat 7.0.28 also. I checked for tomcat 7
vulnerability and I could not find this (*Arbitrary file deletion and/or
alteration on deploy*) in the list on org.apache site.
That is because Tomcat 7 is not vulnerable to that vulnerability.
a) the way I have tried to exploit that vulnerability is correct ?
No, it is not correct.
or is it something which can be considered normal behaviour ?
Yes, the behaviour you observe is normal, expected behaviour.
(attempting to try to delete file from home dir or from web root dir while
deploying
war file)
That isn't what you are doing.
b) Is this vulnerability still exist in tomcat 7.0.28 ?
No.
I think so bcoz I could delete file form home dir with tomcat 7.0.28 version
also.
Your thinking is incorrect.
but I am not sure.* Should this be reported to security team of tomcat ?
No. Please don't waste our time.
Further, potential security vulnerabilities should not be discussed on a
public mailing list. They should be reported privately to the security
team. Fortunately no harm was done in this case since your supposed
vulnerability was nothing of the sort. As someone claiming to be a
security researcher you should be aware of that. That makes one question
your claim to be a security researcher.
Ultimately I want to make sure that I have succeeded to exploit
vulnerability of tomcat. This is part of my research and no intention to
harm others. :-)
You need to re-read the description of CVE-2009-2693 on the Tomcat web
site [1] and then try and exploit that rather than simply deleting a
file. Unless you run under a security manager, a JSP is able to delete
any file the user Tomcat is running under is able to delete.
That fact that you do not understand the above adds further doubt to
your claim to be a security researcher. Your previous message to this
list (a security researcher who has not heard of Metasploit?) also casts
serious doubt on your claims to be a security researcher.
Mark
[1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Thanks for pointing out about running tomcat under security manager.
And as u have mentioned about "research" multiple times let me be clear
:-) . I am not expert in security research. I am doing my master thesis
and this is a part of it so I said "as part of my research work".
Before this I have not worked with tomcat or any security related
things. So as a beginner it is obvious not to know about metasploit or
security manager of tomcat.. ;-) One does not need to be an expert at
the thing before doing research about it. knowing and learning about it
is also a part of research..
Regards.
Richa
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
