Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 981A5200D11 for ; Mon, 2 Oct 2017 13:17:58 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 96A0E1609EF; Mon, 2 Oct 2017 11:17:58 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DB8CC1609DE for ; Mon, 2 Oct 2017 13:17:57 +0200 (CEST) Received: (qmail 86447 invoked by uid 500); 2 Oct 2017 11:17:56 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 86437 invoked by uid 99); 2 Oct 2017 11:17:56 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Oct 2017 11:17:56 +0000 Received: from [192.168.23.12] (host217-44-155-55.range217-44.btcentralplus.com [217.44.155.55]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id D04021A0044 for ; Mon, 2 Oct 2017 11:17:55 +0000 (UTC) Subject: Re: svn commit: r1810270 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml To: Tomcat Developers List References: <20171001181048.4D4693A026E@svn01-us-west.apache.org> <4a704404-1984-41f6-28a0-44c06f20b043@apache.org> From: Mark Thomas Message-ID: Date: Mon, 2 Oct 2017 12:17:53 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit archived-at: Mon, 02 Oct 2017 11:17:58 -0000 On 02/10/17 11:59, Konstantin Kolinko wrote: > 2017-10-02 12:59 GMT+03:00 Mark Thomas : >> On 02/10/17 10:13, Rainer Jung wrote: >>> Am 01.10.2017 um 20:10 schrieb markt@apache.org: >>>> Author: markt >>>> Date: Sun Oct 1 18:10:45 2017 >>>> New Revision: 1810270 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=1810270&view=rev >>>> Log: >>>> Add CVE-2017-12617 >>>> >>> ... >>>> +

When running on Windows with HTTP PUTs enabled (e.g. via setting the >>>> + readonly initialisation parameter of the Default to false) >>>> + it was possible to upload a JSP file to the server via a specially >>>> + crafted request. This JSP could then be requested and any code it >>>> + contained would be executed by the server.

>>> ... >>> >>> It seems the description (for TC 7, 8 and 9) was copied from >>> CVE-2017-12615, thus only refers to Windows and the Default servlet. >>> Your original description of the topic was broader. >> >> Indeed. I'll get that fixed. Thanks for catching that. > > s/Default/DefaultServlet" or "Default servlet" ? Thanks. Fixed. > The announcement mentioned WebDAV servlet (WebdavServlet) as well. It did. However, the vector I had in mind wasn't viable so I don't think the WebDAV was actually vulnerable. I opted to be overly cautious in the initial announcement and mentioned it. However, there might be an edge case where it is. So... On balance, I think the text is OK. It talks about HTTP PUT as the primary concern and only uses the Default servlet as an example. I'm not against WebDAV being explicitly mentioned but I don't think it is necessary. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org