lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B5CC17B.4030708@apache.org>
Date: Sun, 24 Jan 2010 16:54:03 -0500
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>,
	announce@...cat.apache.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, announce@...che.org
Subject: [SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or
 alteration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also
affected.

Description:
When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root.

Mitigation:
6.0.x users should upgrade to 6.0.24 or apply this patch:
http://svn.apache.org/viewvc?rev=892815&view=rev
5.5.x users should upgrade to 5.5.29 when released or apply this patch:
http://svn.apache.org/viewvc?rev=902650&view=rev
Note: the patches also address CVE-2009-2901 and CVE-2009-2902.
Alternatively, users of all Tomcat versions may mitigate this issue by
manually validating the contents of untrusted WAR files before deployment.

Example:
A WAR file that contains the following entry will overwrite the standard
Windows start-up script when deployed on a default Tomcat installation:
../../bin/catalina.bat

Credit:
This issue was reported to the Apache Tomcat security team by Marc
Schoenefeld of the Red Hat Security Response Team

References:
[1] http://tomcat.apache.org/security.html

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt
J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf
ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe
itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI
6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa
p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+
ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR
pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1
Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo
W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO
hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL
7iN004jxhnUxQc8Fgwj4
=/B5h
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ