DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43671>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43671 ------- Additional Comments From [EMAIL PROTECTED] 2007-10-22 03:16 ------- Created an attachment (id=21019) --> (http://issues.apache.org/bugzilla/attachment.cgi?id=21019&action=view) Code fragment showing how to intercept injected entities The attached (ugly) code fragment shows how to intercept the process of entity expansion by detecting the injected strings. As an example it intercepts entities with a "file:" prefix and posts it to stderr. As the comitter is not really an expert of the WEBDAV semantics this patch draft may need some brush up to be production ready. When used with Webdav write access enabled and the perl script with perl cve-2007-5461-exploit.pl 127.0.0.1 /webdav /etc/passwd the entity expansion and injection attack is detected an the following output is posted to stderr: Oct 19, 2007 1:01:15 PM org.apache.catalina.core.ApplicationContext log pub:null sys:file:///etc/passwd attack Oct 19, 2007 1:01:15 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet webdav threw exception java.lang.NullPointerException at org.apache.catalina.servlets.WebdavServlet.doLock(WebdavServlet.java:966) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
