A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure yesterday, 14-Oct-2007.[1]
The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.
In order to be affected systems must have:
- one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- enabled write capability via webdav
Note:
- Tomcat 6.0.x has no webdav enabled contexts by default
- Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default
Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.
The mitigations available are:
- Disable write access until a fixed version is released
- Limit write access to trusted users
- Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x
Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java (working
copy)
@@ -252,6 +252,7 @@
try {
documentBuilderFactory =
DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
+ documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder =
documentBuilderFactory.newDocumentBuilder();
} catch(ParserConfigurationException e) {
throw new ServletException
[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
