tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Date Sun, 21 Oct 2007 03:04:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please that an additional patch has been developed as a result of
further investigation.

A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure on 14-Oct-2007.[1]

The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.

In order to be affected systems must have:
- - one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- - enabled write capability via webdav

Note:
- - Tomcat 6.0.x has no webdav enabled contexts by default
- - Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default

Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.

The mitigations available are:
- - Disable write access until a fixed version is released
- - Limit write access to trusted users
- - Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x

Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
- --- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java	(working
copy)
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory =
DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder =
documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException



** Additional Path **
Index: org/apache/catalina/servlets/LocalStrings.properties
===================================================================
- --- org/apache/catalina/servlets/LocalStrings.properties	(revision
586817)
+++ org/apache/catalina/servlets/LocalStrings.properties	(working copy)
@@ -25,6 +25,7 @@
 invokerServlet.notNamed=Cannot call invoker servlet with a named
dispatcher
 invokerServlet.noWrapper=Container has not called setWrapper() for
this servlet
 webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference
to an external entity with PublicID {0} and SystemID {1} which was ignored
 directory.filename=Filename
 directory.lastModified=Last Modified
 directory.parent=Up To {0}
Index: org/apache/catalina/servlets/WebdavServlet.java
===================================================================
- --- org/apache/catalina/servlets/WebdavServlet.java	(revision 586817)
+++ org/apache/catalina/servlets/WebdavServlet.java	(working copy)
@@ -20,6 +20,7 @@


 import java.io.IOException;
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.security.MessageDigest;
@@ -36,6 +37,7 @@
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.UnavailableException;
 import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;

@@ -245,6 +248,8 @@
             documentBuilderFactory.setNamespaceAware(true);
             documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder =
documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(
+                    new WebdavResolver(this.getServletContext()));
         } catch(ParserConfigurationException e) {
             throw new ServletException
                 (sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
     }


+    // --------------------------------------------- WebdavResolver
Inner Class
+    /**
+     * Work around for XML parsers that don't fully respect
+     * {@link
DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+     * references are filtered out for security reasons. See
CVE-2007-5461.
+     */
+    private class WebdavResolver implements EntityResolver {
+        private ServletContext context;
+
+        public WebdavResolver(ServletContext theContext) {
+            context = theContext;
+        }
+
+        public InputSource resolveEntity (String publicId, String
systemId) {
+
context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+                    publicId, systemId));
+            return new InputSource(
+                    new StringReader("Ignored external entity"));
+        }
+    }
 };

[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html

- ---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGsHZb7IeiTPGAkMRApR0AJwN589C3UddiSIDJ3NRp16wEo9ueACbBanu
H4Ys6YNInkmyph16Qy0Cbz4=
=dUO/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message