Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Created Outside of the Intended Directory
SecurityTracker Alert ID: 1023505|
SecurityTracker URL: http://securitytracker.com/id/1023505
(Links to External Site)
Date: Jan 25 2010
Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.5.0 - 5.5.28, 6.0.0 - 6.0.20; possibly earlier versions|
A vulnerability was reported in Tomcat. A remote user can cause files to be created in arbitrary directories on the target system.|
The software does not properly validate user-supplied input. A remote user can create a specially crafted WAR archive that, when deployed on the target system by an authorized user, will create files on target system that are located outside of the web root directory.
Marc Schoenefeld of the Red Hat Security Response Team reported this vulnerability.
A remote user can cause files to be created in arbitrary locations on the target system.|
The vendor has issued a fix (5.5.29 [pending], 6.0.24).|
Patches are also available.
The vendor's advisory is available at:
Vendor URL: tomcat.apache.org/ (Links to External Site)
Access control error, Input validation error|
Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Sun, 24 Jan 2010 16:54:03 -0500|
Subject: [Full-disclosure] [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration
The Apache Software Foundation
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root.
6.0.x users should upgrade to 6.0.24 or apply this patch:
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
Note: the patches also address CVE-2009-2901 and CVE-2009-2902.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.
A WAR file that contains the following entry will overwrite the standard
Windows start-up script when deployed on a default Tomcat installation:
This issue was reported to the Apache Tomcat security team by Marc
Schoenefeld of the Red Hat Security Response Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/