本文共 1261 字,大约阅读时间需要 4 分钟。
http://www.securityfocus.com/archive/1/archive/1/509148/100/0/threaded
Severity: LowVendor:The Apache Software FoundationVersions Affected:Tomcat 5.5.0 to 5.5.28Tomcat 6.0.0 to 6.0.20The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be alsoaffected.Description:When deploying WAR files, the WAR files were not checked for directorytraversal attempts. This allows an attacker to create arbitrary contentoutside of the web root.Mitigation:6.0.x users should upgrade to 6.0.24 or apply this patch:http://svn.apache.org/viewvc?rev=892815&view=rev5.5.x users should upgrade to 5.5.29 when released or apply this patch:http://svn.apache.org/viewvc?rev=902650&view=revNote: the patches also address CVE-2009-2901 and CVE-2009-2902.Alternatively, users of all Tomcat versions may mitigate this issue bymanually validating the contents of untrusted WAR files before deployment.Example:A WAR file that contains the following entry will overwrite the standardWindows start-up script when deployed on a default Tomcat installation:../../bin/catalina.batCredit:This issue was reported to the Apache Tomcat security team by MarcSchoenefeld of the Red Hat Security Response TeamReferences:[1] http://tomcat.apache.org/security.htmlMark Thomas 转载地址:http://atqmb.baihongyu.com/