Vulnerability or a valid behavior of tomcat ?

Fri, 21 Sep 2012 03:23:46 -0700 

Hi all,
I wanted to exploit tomcat vulnerability CVE-2009-2693 named "*Arbitrary file deletion and/or alteration on deploy* ". You can have a look on it here. (http://tomcat.apache.org/security-6.html) 
Here they say the affected versions are "Affects: 6.0.0-6.0.20".
I wanted to give it a try. So I downloaded a web application insecure (insecure web application from OWASP). This application has some jsp files and some java files. So in one of the java file (DatasourceConnectionprovider.java), I added following code which deletes file named file1.txt from home directory. Pl note that I use ubuntu and I created file1.txt in home directory. 

The code looks like below:

public void deletefile()
    {
        try{
File file = new File("../../file1.txt"); // this deletes file1.txt from home dir 

            if(file.delete()){
                System.out.println(file.getName() + " is deleted!");

            }else{
                System.out.println("Delete operation is failed.");
            }

        }catch(Exception e){

            e.printStackTrace();

        }
    }
I compiled the file(DatasourceConnectionprovider.java) and I replaced the default DatasourceConnectionprovider.class with the changed DatasourceConnectionprovider.class. So in short I deploy a war file in tomcat which deletes the file1.txt from home directory.
I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* " vulnerability. 

So my question is:
1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I could do this with tomcat 7.0.28 also. I checked for tomcat 7 vulnerability and I could not find this (*Arbitrary file deletion and/or alteration on deploy*) in the list on org.apache site.
*a) the way I have tried to exploit that vulnerability is correct ? or is it something which can be considered normal behaviour ? (attempting to try to delete file from home dir or from web root dir while deploying war file)** 
**
**b) Is this vulnerability still exist in tomcat 7.0.28 ? I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also. but I am not sure.* Should this be reported to security team of tomcat ?
Ultimately I want to make sure that I have succeeded to exploit vulnerability of tomcat. This is part of my research and no intention to harm others. :-) 

Thanks

Richa

Reply via email to