[
https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jay D. McHugh reassigned GERONIMO-3549:
---------------------------------------
Assignee: Jay D. McHugh
> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
> Key: GERONIMO-3549
> URL: https://issues.apache.org/jira/browse/GERONIMO-3549
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1
> Reporter: Donald Woods
> Assignee: Jay D. McHugh
> Fix For: 2.0.x, 2.1
>
>
> Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav
> servlet
> Date: Thu, 18 Oct 2007 13:40:24 -0400
> From: Kevan Miller <[EMAIL PROTECTED]>
> Reply-To: [email protected]
> To: Geronimo Dev <[email protected]>
> The Geronimo project has learned of a security vulnerability in the
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
> configuration of Geronimo and configure a write-enabled Webdav servlet,
> you may be affected by this vulnerability. If you do not configure the
> Webdav servlet or configure read-only Webdav servlets, you are not
> impacted by this vulnerability. Jetty configurations of Geronimo are not
> affected by this vulnerability.
> This vulnerability impacts all Geronimo releases. Up to and including
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/[EMAIL
> PROTECTED]
> By default, Geronimo releases do not use the Webdav servlet. However, it
> is possible for the Webdav Servlet to be configured or referenced by a
> user-written application.
> The Webdav Servlet could be explicitly configured in a web.xml
> <http://web.xml/> deployment descriptor as follows:
> ...
> <servlet>
> <servlet-name>webdav</servlet-name>
>
> <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
> <init-param>
> <param-name>readonly</param-name>
> <param-value>false</param-value>
> </init-param>
> </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for
> example:
> import org.apache.catalina.servlets.WebdavServlet;
> public class MyServlet extends WebdavServlet {
> ...
>
> If you configure a write-enabled Webdav servlet, we recommend that you:
> - Disable write access to the Webdav Servlet until this problem has
> been fixed, or
> - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3
> and/or 2.1).
> --kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
