On 22/09/17 10:36, Maarten van Hulsentop wrote:
> I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation.
> The issue can indeed easily be reproduced on the default servlet by setting
> the readonly property to false. After that, it is possible to PUT the jsp
> and the GET request will execute.
> When i change the default servlet to be the WebDAV servlet, it can not
> longer PUT the JSP because of 409 errors.
> Adjusting the servlet mapping from / to /* resolves the 409. But doing so
> seems to prevent the JSP execution; the GET request will just yield the
> contents of the JSP.
> What do i need to do to get it reproduced for the WebDAV servlet as well?
> Or is this a theoretical thing and can we consider the WebDAV servlet
> configured in scenario 3 as not vulnerable in the real world?

I haven't seen a PoC for exploiting this via Tomcat's WebDAV
implementation. The original advisory was based on an understanding of
the Default servlet PoC and a quick look at Tomcat's WebDAV code. A
closer inspection shows that the Default servlet PoC won't work with
Tomcat's WebDAV implementation.

It looks to be unlikely that Tomcat's WebDAV implementation is
exploitable but as far as I am aware there hasn't been a great deal of
investigation in that direction. At this point it seems prudent to
assume that WebDAV could be vulnerable and mitigate accordingly.

> Does this
> also apply for individual web applications configuring a similar web.xml or
> is it only reproducable on the global default servlet?

CVE-2017-12615 applies in either of the above scenarios.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to