2017-10-02 12:59 GMT+03:00 Mark Thomas <ma...@apache.org>: > On 02/10/17 10:13, Rainer Jung wrote: >> Am 01.10.2017 um 20:10 schrieb ma...@apache.org: >>> Author: markt >>> Date: Sun Oct 1 18:10:45 2017 >>> New Revision: 1810270 >>> >>> URL: http://svn.apache.org/viewvc?rev=1810270&view=rev >>> Log: >>> Add CVE-2017-12617 >>> >> ... >>> +<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the >>> + <code>readonly</code> initialisation parameter of the Default to >>> false) >>> + it was possible to upload a JSP file to the server via a specially >>> + crafted request. This JSP could then be requested and any code it >>> + contained would be executed by the server.</p> >> ... >> >> It seems the description (for TC 7, 8 and 9) was copied from >> CVE-2017-12615, thus only refers to Windows and the Default servlet. >> Your original description of the topic was broader. > > Indeed. I'll get that fixed. Thanks for catching that.
s/Default/DefaultServlet" or "Default servlet" ? The announcement mentioned WebDAV servlet (WebdavServlet) as well. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
