SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Deleted
SecurityTracker Alert ID:  1023504
SecurityTracker URL:  http://securitytracker.com/id/1023504
CVE Reference:   CVE-2009-2902   (Links to External Site)
Date:  Jan 25 2010
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5.0 - 5.5.28, 6.0.0 - 6.0.20; possibly earlier versions
Description:   A vulnerability was reported in Tomcat. A remote user can cause denial of service conditions.

A remote user can create a specially crafted WAR archived that, when deployed on the target system by an authorized user, will overwrite files on the target system.

A WAR archive with the filename "...war" will cause the files and subdirectories in "work/<engine name>/<host name>" directory to be removed.

The vendor reported this vulnerability.

Impact:   A remote user can cause files to be deleted on the target system.
Solution:   The vendor has issued a fix (5.5.29 [pending], 6.0.24).

Patches are also available.

The vendor's advisory is available at:

http://tomcat.apache.org/security-6.html

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 24 2010 (Red Hat Issues Fix for JBoss Enterprise Web Server) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Deleted   (bugzilla@redhat.com)
Red Hat has issued a fix for JBoss Enterprise Web Server for Red Hat Enterprise Linux 4 and 5.
Jun 18 2010 (HP Issues Fix for HP-UX) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Deleted
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
Sep 10 2010 (Red Has Issues Fix for Certificate System) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Deleted   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Certificate System 7.3.
Oct 15 2010 (Sun Issues Fix) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Deleted
Sun has issued a fix for Solaris 9 and 10 and OpenSolaris.



 Source Message Contents

Date:  Sun, 24 Jan 2010 16:54:19 -0500
Subject:  [Full-disclosure] [SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
affected.

Description:
When deploying WAR files, the WAR file names were not checked for
directory traversal attempts. This allows an attacker to cause the
deletion of the current contents of the host's work directory which may
cause problems for currently running applications.

Mitigation:
6.0.x users should upgrade to 6.0.24 or apply this patch:
http://svn.apache.org/viewvc?rev=892815&view=rev
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
http://svn.apache.org/viewvc?rev=902650&view=rev
Note: the patches also address CVE-2009-2693 and CVE-2009-2901.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.

Example:
Deploying and undeploying a WAR named "...war" causes the all files and
subdirectories in "work/<engine name>/<host name>" to be removed.

Credit:
This issue was discovered by the Apache Tomcat security team

References:
[1] http://tomcat.apache.org/security.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLXMGKAAoJEBDAHFovYFnnU3sP/2qKA+k8nmXoowqeUKfgTZyg
EJAtLvuTHFViDFeA7tDrh18pMzWUfPCu/sU8qXaiY71Dw6Fa8zcJ1SksP/WB4jmN
UDuSj9vm5INxjbANnniSpZ5+tfLukPz9I3vFIIpmT4xO2aGnbqTUWPmVb2Oitapp
ePH35D0OldLIL8O4TmdTK5LPw/qufbvEtegTlryJeyO9kWvqmK54W2cs60i+txiD
zwzoRJgmNd7e/DS8+jrGrSFgLiFQlEQraQ99OvvU9bi7DofEUA1HuxPV94Ck8oMc
xbcNlAgSMuqc0PuIff68rXP3M/4M96j/BFRRLsAqUPfXBZQBZ6vc/uOVG2JriIQU
psksw1zTf8pbUTtuY6EUry3SspTHWcMGJfoxtrXa0nVxGnTg5XI/joipbCbbcF6p
0npKt3IIEH6JYtZ2DbSO0w6QjFnCVV5v0mB1LrMQDy0SzfcYf6G0MnmD6hLYNsdz
83TRgicGCfcSqZdiZDJ2Kngwnjl/oHYx2A1SVOc4q0NoIlFnzF9qMqiLM5hM87LT
3FaFsDmeFwhUxo4JRGAFA+ft1UrYufCvCQy+ZW6fxPIW2Qz9aEq63MDVojdd2yf7
Z9JApNAiO6q1cJukOaworJiv1cbcZHp0SaWDJQIo4VFT2APD2DFU79vCseIusX4e
jcy9btzWclss+2hAA/XQ
=kJa8
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC