tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r1810270 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml
Date Mon, 02 Oct 2017 11:17:53 GMT
On 02/10/17 11:59, Konstantin Kolinko wrote:
> 2017-10-02 12:59 GMT+03:00 Mark Thomas <markt@apache.org>:
>> On 02/10/17 10:13, Rainer Jung wrote:
>>> Am 01.10.2017 um 20:10 schrieb markt@apache.org:
>>>> Author: markt
>>>> Date: Sun Oct  1 18:10:45 2017
>>>> New Revision: 1810270
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=1810270&view=rev
>>>> Log:
>>>> Add CVE-2017-12617
>>>>
>>> ...
>>>> +<p>When running on Windows with HTTP PUTs enabled (e.g. via setting
the
>>>> +       <code>readonly</code> initialisation parameter of the
Default to false)
>>>> +       it was possible to upload a JSP file to the server via a specially
>>>> +       crafted request. This JSP could then be requested and any code it
>>>> +       contained would be executed by the server.</p>
>>> ...
>>>
>>> It seems the description (for TC 7, 8 and 9) was copied from
>>> CVE-2017-12615, thus only refers to Windows and the Default servlet.
>>> Your original description of the topic was broader.
>>
>> Indeed. I'll get that fixed. Thanks for catching that.
> 
> s/Default/DefaultServlet" or "Default servlet" ?

Thanks. Fixed.

> The announcement mentioned WebDAV servlet (WebdavServlet) as well.

It did.

However, the vector I had in mind wasn't viable so I don't think the
WebDAV was actually vulnerable. I opted to be overly cautious in the
initial announcement and mentioned it. However, there might be an edge
case where it is. So...

On balance, I think the text is OK. It talks about HTTP PUT as the
primary concern and only uses the Default servlet as an example.

I'm not against WebDAV being explicitly mentioned but I don't think it
is necessary.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message