On 02/10/17 11:59, Konstantin Kolinko wrote: > 2017-10-02 12:59 GMT+03:00 Mark Thomas <ma...@apache.org>: >> On 02/10/17 10:13, Rainer Jung wrote: >>> Am 01.10.2017 um 20:10 schrieb ma...@apache.org: >>>> Author: markt >>>> Date: Sun Oct 1 18:10:45 2017 >>>> New Revision: 1810270 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=1810270&view=rev >>>> Log: >>>> Add CVE-2017-12617 >>>> >>> ... >>>> +<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the >>>> + <code>readonly</code> initialisation parameter of the Default to >>>> false) >>>> + it was possible to upload a JSP file to the server via a specially >>>> + crafted request. This JSP could then be requested and any code it >>>> + contained would be executed by the server.</p> >>> ... >>> >>> It seems the description (for TC 7, 8 and 9) was copied from >>> CVE-2017-12615, thus only refers to Windows and the Default servlet. >>> Your original description of the topic was broader. >> >> Indeed. I'll get that fixed. Thanks for catching that. > > s/Default/DefaultServlet" or "Default servlet" ?
Thanks. Fixed. > The announcement mentioned WebDAV servlet (WebdavServlet) as well. It did. However, the vector I had in mind wasn't viable so I don't think the WebDAV was actually vulnerable. I opted to be overly cautious in the initial announcement and mentioned it. However, there might be an edge case where it is. So... On balance, I think the text is OK. It talks about HTTP PUT as the primary concern and only uses the Default servlet as an example. I'm not against WebDAV being explicitly mentioned but I don't think it is necessary. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
