Tomcat readonly must be set to true (RCE)
Test case that checks for a Tomcat misconfiguration. If
readonly is set to
false on the Tomcat Default Servlet the creation and deletion of files is possible via
This feature even leads to a Remote Code Execution (RCE) vulnerability in most released Tomcat versions. (See CVE-2017-12617 and CVE-2017-12615)
- HTTP DELETE on /A_Not_Existing_File_trr.txt path.
- Expected Status Code: 403 (Forbidden)
403 (Forbidden) is what Tomcat normally returns. Tomcat behind a web application firewall (WAF) might return another status code (e.g. 405 (Method Not Allowed)).
Attention: Test might lead to false positives when web application is behind a WAF or other frontend server.