Skip to content

Tomcat readonly must be set to true (RCE)

Test case that checks for a Tomcat misconfiguration. If readonly is set to false on the Tomcat Default Servlet the creation and deletion of files is possible via PUT and DELETE.
This feature even leads to a Remote Code Execution (RCE) vulnerability in most released Tomcat versions. (See CVE-2017-12617 and CVE-2017-12615)

Given

  • HTTP DELETE on /A_Not_Existing_File_trr.txt path.

Expected

  • Expected Status Code: 403 (Forbidden)
    403 (Forbidden) is what Tomcat normally returns. Tomcat behind a web application firewall (WAF) might return another status code (e.g. 405 (Method Not Allowed)).

    Attention: Test might lead to false positives when web application is behind a WAF or other frontend server.

More information