On 25/09/2012 12:15, Ragini wrote: > Hi, > > I want to try to exploit tomcat vulnerability CVE-2009-2693. From site > it says that the affected version are from 6.0.0 to 6.0.20. I could not > find any of this on official apache tomcat website. I want to do some > tests on that vulnerable versions.
Hmm. I find it hard to believe you couldn't find the Tomcat 6 download pages [1]. (Although judging by the level of competence your e-mails to this list to date have demonstrated, I suppose that is a possibility). The very first section on that page contains the text: "This page provides download links for obtaining the latest version of Tomcat 6.0.x, as well as links to the archives of older releases." Did you read that section? Did you not understand that since you want an old release you need to look in the archives? The following section contains a link [2] the archives. From that point it should be obvious. > *Could you please guide me from where I can download the tomcat version > which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or > alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.* I'd suggest you use [3]. > Basically this is how I plan to exploit that vulnerability: > > 1) I insert code to create a directory in user's home directory in one > of the java class of my web application. > 2) I deploy the war file to tomcat's web-apps dir. > 3)I start the tomcat with security manager and it should then create a > directory in user's home directory. That would be a complete waste of time. You'll be testing the security manager rather than anything to do with CVE-2009-2693. Either you have failed to read the description of CVE-2009-2693 [4] or your have failed to comprehend it. You need to ask yourself whether you have the necessary skills and understanding to carry out the research you claim you want to perform. Mark [1] http://tomcat.apache.org/download-60.cgi [2] http://archive.apache.org/dist/tomcat/tomcat-6 [3] http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz [4] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
