SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Created Outside of the Intended Directory
SecurityTracker Alert ID:  1023505
SecurityTracker URL:  http://securitytracker.com/id/1023505
CVE Reference:   CVE-2009-2693   (Links to External Site)
Date:  Jan 25 2010
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5.0 - 5.5.28, 6.0.0 - 6.0.20; possibly earlier versions
Description:   A vulnerability was reported in Tomcat. A remote user can cause files to be created in arbitrary directories on the target system.

The software does not properly validate user-supplied input. A remote user can create a specially crafted WAR archive that, when deployed on the target system by an authorized user, will create files on target system that are located outside of the web root directory.

Marc Schoenefeld of the Red Hat Security Response Team reported this vulnerability.

Impact:   A remote user can cause files to be created in arbitrary locations on the target system.
Solution:   The vendor has issued a fix (5.5.29 [pending], 6.0.24).

Patches are also available.

The vendor's advisory is available at:

http://tomcat.apache.org/security-6.html

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 24 2010 (Red Hat Issues Fix for JBoss Enterprise Web Server) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Created Outside of the Intended Directory   (bugzilla@redhat.com)
Red Hat has issued a fix for JBoss Enterprise Web Server for Red Hat Enterprise Linux 4 and 5.
Jun 18 2010 (HP Issues Fix for HP-UX) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Created Outside of the Intended Directory
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
Sep 10 2010 (Red Has Issues Fix for Certificate System) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Created Outside of the Intended Directory   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Certificate System 7.3.
Oct 15 2010 (Sun Issues Fix) Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Created Outside of the Intended Directory
Sun has issued a fix for Solaris 9 and 10 and OpenSolaris.



 Source Message Contents

Date:  Sun, 24 Jan 2010 16:54:03 -0500
Subject:  [Full-disclosure] [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
affected.

Description:
When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root.

Mitigation:
6.0.x users should upgrade to 6.0.24 or apply this patch:
http://svn.apache.org/viewvc?rev=892815&view=rev
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
http://svn.apache.org/viewvc?rev=902650&view=rev
Note: the patches also address CVE-2009-2901 and CVE-2009-2902.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.

Example:
A WAR file that contains the following entry will overwrite the standard
Windows start-up script when deployed on a default Tomcat installation:
../../bin/catalina.bat

Credit:
This issue was reported to the Apache Tomcat security team by Marc
Schoenefeld of the Red Hat Security Response Team

References:
[1] http://tomcat.apache.org/security.html

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt
J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf
ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe
itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI
6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa
p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+
ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR
pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1
Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo
W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO
hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL
7iN004jxhnUxQc8Fgwj4
=/B5h
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC