Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-22 Thread Mark Thomas
On 22/09/17 10:36, Maarten van Hulsentop wrote: > I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation. > The issue can indeed easily be reproduced on the default servlet by setting > the readonly property to false. After that, it is possible to PUT the jsp > and the GET

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-22 Thread Maarten van Hulsentop
Hello, Op wo 20 sep. 2017 om 09:27 schreef Mark Thomas : > On 19/09/17 14:10, Mark Thomas wrote: > > On 19/09/17 14:00, André Warnier (tomcat) wrote: > >> Hello. > >> > >> Did the issue below also affect the DAV application ? > > > > Yes, as the WebDAV servlet also processes

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-20 Thread Mark Thomas
On 19/09/17 14:10, Mark Thomas wrote: > On 19/09/17 14:00, André Warnier (tomcat) wrote: >> Hello. >> >> Did the issue below also affect the DAV application ? > > Yes, as the WebDAV servlet also processes HTTP PUT requests. > > The WebDAV servlet extends the Default servlet so they actually

RE: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Thakur, Gulam (IBM)
- From: Mark Thomas [mailto:ma...@apache.org] Sent: 19 September 2017 14:10 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload On 19/09/17 14:00, André Warnier (tomcat) wrote: > Hello. > > Did

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
On 19/09/17 14:00, André Warnier (tomcat) wrote: > Hello. > > Did the issue below also affect the DAV application ? Yes, as the WebDAV servlet also processes HTTP PUT requests. The WebDAV servlet extends the Default servlet so they actually share the implementation. > And if yes, also only

Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread tomcat
Hello. Did the issue below also affect the DAV application ? And if yes, also only under Windows ? Forwarded Message Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload Date: Tue, 19 Sep 2017 11:58:44 +0100 From: Mark Thomas