On 02/10/17 10:13, Rainer Jung wrote: > Am 01.10.2017 um 20:10 schrieb ma...@apache.org: >> Author: markt >> Date: Sun Oct 1 18:10:45 2017 >> New Revision: 1810270 >> >> URL: http://svn.apache.org/viewvc?rev=1810270&view=rev >> Log: >> Add CVE-2017-12617 >> > ... >> +<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the >> + <code>readonly</code> initialisation parameter of the Default to >> false) >> + it was possible to upload a JSP file to the server via a specially >> + crafted request. This JSP could then be requested and any code it >> + contained would be executed by the server.</p> > ... > > It seems the description (for TC 7, 8 and 9) was copied from > CVE-2017-12615, thus only refers to Windows and the Default servlet. > Your original description of the topic was broader.
Indeed. I'll get that fixed. Thanks for catching that. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
