You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/10/22 10:07:48 UTC
[Bug 62844] New: Tomcat CGI suffix name arbitrary resolution
vulnerability
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
Bug ID: 62844
Summary: Tomcat CGI suffix name arbitrary resolution
vulnerability
Product: Tomcat 9
Version: 9.0.8
Hardware: PC
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: songmingxuan@cert.org.cn
Target Milestone: -----
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #7 from Mark Thomas <ma...@apache.org> ---
Speaking as a member of both the Tomcat and ASF security teams:
I whole-heartedly endorse everything Rémy said in comment #3.
There is no vulnerability here. By design, the CGI servlet executes what it is
told to. That is entirely under the application developers control. It is
irrelevant what file extensions the developer has chosen to give to the files
the developer has configured the CGI Servlet to execute.
Separately, if an application developer is foolish enough to allow the
uploading of arbitrary files from untrusted users to a location that permits
them to be executed then that would be an application vulnerability, not a
Tomcat vulnerability.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #6 from mingxuan <so...@cert.org.cn> ---
Well. Thank you very much! Thank you! I'll send an e-mail to the security team.
Ha-ha! I always feel like a problem。。。 ;)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #5 from Remy Maucherat <re...@apache.org> ---
Yes, obvious security concerns should always be discussed on the security
mailing list.
At this time, the CGI servlet treats as CGI any mapped path.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #8 from mingxuan <so...@cert.org.cn> ---
Thank you very much. Your explanation is authoritative. This problem is really
caused by Web's arbitrary path uploading and CGI arbitrary resolution. And left
behind CGI's script back door. This should really be a problem for web
application developers. Thank you again!
Aiming at this problem. I can also be bold enough to tell web developers. This
is not the problem of Tomcat. It is caused by the loopholes in the web
application itself. ;)
I hereby apologize to Remy Maucherat. I am stubborn. So sorry!😄
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
OS| |All
--- Comment #3 from Remy Maucherat <re...@apache.org> ---
You MUST report potential security issues to security @ tomcat.apache.org,
never in a public BZ.
There is no vulnerability here however, the CGI servlet does not do anything
with the path suffix (or file extension), if will simply attempt to execute any
path mapped to it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #4 from mingxuan <so...@cert.org.cn> ---
Thank you very much for your reply. If there are safety problems. Is it a
direct email to security@tomcat.apache.org? I still think there is a risk.
Because CGI has been opened. Upload it to this directory for web. Regardless of
JPG or txt, he performs corresponding scripts. What do you think? Thank you
very much.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #1 from mingxuan <so...@cert.org.cn> ---
Created attachment 36203
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36203&action=edit
Please refer to the annex for details.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
mingxuan <so...@cert.org.cn> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #2 from mingxuan <so...@cert.org.cn> ---
Tomcat CGI suffix name arbitrary resolution vulnerability
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62844] Tomcat CGI suffix name arbitrary resolution
vulnerability
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
mingxuan <so...@cert.org.cn> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS|All |Mac OS X 10.13
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org