tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [Security] - Important vulnerability disclosed in Apache Tomcat webdav servlet
Date Mon, 15 Oct 2007 12:25:17 GMT
A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure yesterday, 14-Oct-2007.[1]

The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.

In order to be affected systems must have:
- one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- enabled write capability via webdav

Note:
- Tomcat 6.0.x has no webdav enabled contexts by default
- Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default

Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.

The mitigations available are:
- Disable write access until a fixed version is released
- Limit write access to trusted users
- Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x

Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java	(working
copy)
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory =
DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder =
documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException

[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message