On Sep 25, 2012, at 7:15 AM, Ragini wrote: > Hi, > > I want to try to exploit tomcat vulnerability CVE-2009-2693. From site it > says that the affected version are from 6.0.0 to 6.0.20. I could not find any > of this on official apache tomcat website. I want to do some tests on that > vulnerable versions. > > *Could you please guide me from where I can download the tomcat version which > is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or alteration on > deploy) ? **Pl note that I use ubuntu 12.0.4.*
You can download any version you want from the archives. https://archive.apache.org/dist/tomcat/tomcat-6/ Dan > > Basically this is how I plan to exploit that vulnerability: > > 1) I insert code to create a directory in user's home directory in one of the > java class of my web application. > 2) I deploy the war file to tomcat's web-apps dir. > 3)I start the tomcat with security manager and it should then create a > directory in user's home directory. > > I would really appreciate your help regarding this. > > Thanks. > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
