-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ragini,
On 9/25/12 9:59 AM, Ragini wrote: > On 09/25/2012 03:42 PM, Mark Thomas wrote: >> On 9/25/12 7:15 AM, Ragini wrote: >>> 1) I insert code to create a directory in user's home directory >>> in one of the java class of my web application. 2) I deploy the >>> war file to tomcat's web-apps dir. 3)I start the tomcat with >>> security manager and it should then create a directory in >>> user's home directory. >> >> That would be a complete waste of time. You'll be testing the >> security manager rather than anything to do with CVE-2009-2693. >> >> Either you have failed to read the description of CVE-2009-2693 >> [4] or your have failed to comprehend it. > may be I have failed to understand it. could u please explain it > and give me an idea about how can I exploit it actually ? Why don't you Google for "CVE-2009-2693" and read the description. It's fairly clear, if not terse. Try reading all of the references from Mitre. The first reference they have is a mailing list post written by Mark Thomas which explains the vulnerability as well as gives references to the svn revisions that fix the vulnerability. By reading the Mitre report (very short), Mark's post (also quite short), and the patches, you should be able to get an idea about how to exploit this vulnerability. Or you could just think to yourself "oh, it's a WAR-extraction directory-traversal vulnerability" and figure it out from there. Is this for a class or something? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBhyU4ACgkQ9CaO5/Lv0PDHSACcCxDl3Cv5xCtpPyuTC4dJ7/Yp xlMAnj72wasNuQ8f8SqRGk8X1PfvYx4k =jzU0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
