On 09/25/2012 03:42 PM, Mark Thomas wrote:
On 25/09/2012 12:15, Ragini wrote:
Hi,
I want to try to exploit tomcat vulnerability CVE-2009-2693. From site
it says that the affected version are from 6.0.0 to 6.0.20. I could not
find any of this on official apache tomcat website. I want to do some
tests on that vulnerable versions.
Hmm. I find it hard to believe you couldn't find the Tomcat 6 download
pages [1]. (Although judging by the level of competence your e-mails to
this list to date have demonstrated, I suppose that is a possibility).
The very first section on that page contains the text:
"This page provides download links for obtaining the latest version of
Tomcat 6.0.x, as well as links to the archives of older releases."
Did you read that section? Did you not understand that since you want an
old release you need to look in the archives?
The following section contains a link [2] the archives. From that point
it should be obvious.
*Could you please guide me from where I can download the tomcat version
which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or
alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.*
I'd suggest you use [3].
Is there a particular reason to use 6.0.20 only ?
Basically this is how I plan to exploit that vulnerability:
1) I insert code to create a directory in user's home directory in one
of the java class of my web application.
2) I deploy the war file to tomcat's web-apps dir.
3)I start the tomcat with security manager and it should then create a
directory in user's home directory.
That would be a complete waste of time. You'll be testing the security
manager rather than anything to do with CVE-2009-2693.
Either you have failed to read the description of CVE-2009-2693 [4] or
your have failed to comprehend it.
may be I have failed to understand it. could u please explain it
and give me an idea about how can I exploit it actually ?
You need to ask yourself whether you have the necessary skills and
understanding to carry out the research you claim you want to perform.
Well I asked and realized that I should not yet give up ! :-)
Mark
[1] http://tomcat.apache.org/download-60.cgi
[2] http://archive.apache.org/dist/tomcat/tomcat-6
[3]
http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz
[4] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
