Tomcat WAR Deployment Directory Traversal Flaw May Cause Files to Be Deleted
SecurityTracker Alert ID: 1023504|
SecurityTracker URL: http://securitytracker.com/id/1023504
(Links to External Site)
Date: Jan 25 2010
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.5.0 - 5.5.28, 6.0.0 - 6.0.20; possibly earlier versions|
A vulnerability was reported in Tomcat. A remote user can cause denial of service conditions.|
A remote user can create a specially crafted WAR archived that, when deployed on the target system by an authorized user, will overwrite files on the target system.
A WAR archive with the filename "...war" will cause the files and subdirectories in "work/<engine name>/<host name>" directory to be removed.
The vendor reported this vulnerability.
A remote user can cause files to be deleted on the target system.|
The vendor has issued a fix (5.5.29 [pending], 6.0.24).|
Patches are also available.
The vendor's advisory is available at:
Vendor URL: tomcat.apache.org/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] [SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory|
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory
The Apache Software Foundation
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
When deploying WAR files, the WAR file names were not checked for
directory traversal attempts. This allows an attacker to cause the
deletion of the current contents of the host's work directory which may
cause problems for currently running applications.
6.0.x users should upgrade to 6.0.24 or apply this patch:
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
Note: the patches also address CVE-2009-2693 and CVE-2009-2901.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.
Deploying and undeploying a WAR named "...war" causes the all files and
subdirectories in "work/<engine name>/<host name>" to be removed.
This issue was discovered by the Apache Tomcat security team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/