On 19/09/17 14:10, Mark Thomas wrote: > On 19/09/17 14:00, André Warnier (tomcat) wrote: >> Hello. >> >> Did the issue below also affect the DAV application ? > > Yes, as the WebDAV servlet also processes HTTP PUT requests. > > The WebDAV servlet extends the Default servlet so they actually share > the implementation.
Thinking about this a little more, it will depend on how the WebDAV servlet is mapped. While there is a configuration where this would be an issue for WebDAV, I don't think it is one that would normally be used. Mark > >> And if yes, also only under Windows ? > > Yes. This is, as far as we can tell, Windows specific. > > HTH, > > Mark > > >> >> -------- Forwarded Message -------- >> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution >> via JSP upload >> Date: Tue, 19 Sep 2017 11:58:44 +0100 >> From: Mark Thomas <ma...@apache.org> >> Reply-To: Tomcat Users List <users@tomcat.apache.org> >> To: Tomcat Users List <users@tomcat.apache.org> >> CC: annou...@tomcat.apache.org <annou...@tomcat.apache.org>, >> annou...@apache.org, Tomcat Developers List <d...@tomcat.apache.org> >> >> CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 7.0.0 to 7.0.79 >> >> Description: >> When running on Windows with HTTP PUTs enabled (e.g. via setting the >> readonly initialisation parameter of the Default to false) it was >> possible to upload a JSP file to the server via a specially crafted >> request. This JSP could then be requested and any code it contained >> would be executed by the server. >> >> Mitigation: >> Users of the affected versions should apply one of the following >> mitigations: >> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) >> >> Credit: >> This issue was reported responsibly to the Apache Tomcat Security Team >> by iswin from 360-sg-lab (360观星实验室) >> >> History: >> 2017-09-19 Original advisory >> >> References: >> [1] http://tomcat.apache.org/security-7.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
