You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Wen Liu <we...@ericsson.com> on 2013/04/18 15:14:50 UTC

Tomcat security vulnerability/ or security config issue


Howdy,

I have a issue with Tomcat security, please find the spec below:

Server version: Apache Tomcat/6.0.35
Server built:   Nov 28 2011 11:20:06
Server number:  6.0.35.0
OS Name:        SunOS
OS Version:     5.10
Architecture:   x86
JVM Version:    1.6.0_33-b03
JVM Vendor:     Sun Microsystems Inc.


For the problematic server, all files on the server are exposed to all users through http://<masterservice_IP>:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../<location_of_the_file>

i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages and press enter to see the server system log..

It happens with any browsers..

I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service config issue.. Can someone please have a look?..

Please let me know if any further info required..


Thanks & Regards,

Wen

RE: Tomcat security vulnerability/ or security config issue

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: David kerber [mailto:dckerber@verizon.net] 
> Subject: Re: Tomcat security vulnerability/ or security config issue

> If things are configured properly, web users won't be able to see 
> anything outside your app hierarchy, so something clearly isn't set up 
> properly.

This has little to do with configuration - it's the particular webapp (consistencycheck) that is blindly trusting whatever is fed to it from the outside world, and using that as a path into the local file system.  A SecurityManager _may_ be able to stop it, but if the site has deployed such a dangerous webapp, it's likely they would grant excessive privileges to it as well.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat security vulnerability/ or security config issue

Posted by David kerber <dc...@verizon.net>.

If things are configured properly, web users won't be able to see 
anything outside your app hierarchy, so something clearly isn't set up 
properly.

On 4/18/2013 9:14 AM, Wen Liu wrote:
>
>
> Howdy,
>
> I have a issue with Tomcat security, please find the spec below:
>
> Server version: Apache Tomcat/6.0.35
> Server built:   Nov 28 2011 11:20:06
> Server number:  6.0.35.0
> OS Name:        SunOS
> OS Version:     5.10
> Architecture:   x86
> JVM Version:    1.6.0_33-b03
> JVM Vendor:     Sun Microsystems Inc.
>
>
> For the problematic server, all files on the server are exposed to all users through http://<masterservice_IP>:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../<location_of_the_file>
>
> i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages and press enter to see the server system log..
>
> It happens with any browsers..
>
> I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service config issue.. Can someone please have a look?..
>
> Please let me know if any further info required..
>
>
> Thanks&  Regards,
>
> Wen




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat security vulnerability/ or security config issue

Posted by Mark Thomas <ma...@apache.org>.

On 18/04/2013 14:14, Wen Liu wrote:
> 
> 
> Howdy,
> 
> I have a issue with Tomcat security, please find the spec below:
> 
> Server version: Apache Tomcat/6.0.35
> Server built:   Nov 28 2011 11:20:06
> Server number:  6.0.35.0
> OS Name:        SunOS
> OS Version:     5.10
> Architecture:   x86
> JVM Version:    1.6.0_33-b03
> JVM Vendor:     Sun Microsystems Inc.
> 
> 
> For the problematic server, all files on the server are exposed to all users through http://<masterservice_IP>:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../<location_of_the_file>
> 
> i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages and press enter to see the server system log..
> 
> It happens with any browsers..
> 
> I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service config issue.. Can someone please have a look?..
> 
> Please let me know if any further info required..

That is an application vulnerability, not a Tomcat vulnerability.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org