-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please that an additional patch has been developed as a result of further investigation.
A vulnerability in the Apache Tomcat webdav servlet was publicly disclosed on full-disclosure on 14-Oct-2007.[1] The Tomcat security team has evaluated this vulnerability and determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x and not affected. In order to be affected systems must have: - - one or more contexts configured for webdav using Tomcat's built-in webdav implementation - - enabled write capability via webdav Note: - - Tomcat 6.0.x has no webdav enabled contexts by default - - Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context (/webdav) by default Systems with write-enabled webdav contexts that use Tomcat's built-in webdav servlet are exposed to this vulnerability which, for such systems, is important. The mitigations available are: - - Disable write access until a fixed version is released - - Limit write access to trusted users - - Apply the following patch which will be included in the next releases of 6.0.x, 5.5.x and 4.1.x Index: src/share/org/apache/catalina/servlets/WebdavServlet.java =================================================================== - --- src/share/org/apache/catalina/servlets/WebdavServlet.java (revision 584648) +++ src/share/org/apache/catalina/servlets/WebdavServlet.java (working copy) @@ -252,6 +252,7 @@ try { documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); + documentBuilderFactory.setExpandEntityReferences(false); documentBuilder = documentBuilderFactory.newDocumentBuilder(); } catch(ParserConfigurationException e) { throw new ServletException ** Additional Path ** Index: org/apache/catalina/servlets/LocalStrings.properties =================================================================== - --- org/apache/catalina/servlets/LocalStrings.properties (revision 586817) +++ org/apache/catalina/servlets/LocalStrings.properties (working copy) @@ -25,6 +25,7 @@ invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher invokerServlet.noWrapper=Container has not called setWrapper() for this servlet webdavservlet.jaxpfailed=JAXP initialization failed +webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored directory.filename=Filename directory.lastModified=Last Modified directory.parent=Up To {0} Index: org/apache/catalina/servlets/WebdavServlet.java =================================================================== - --- org/apache/catalina/servlets/WebdavServlet.java (revision 586817) +++ org/apache/catalina/servlets/WebdavServlet.java (working copy) @@ -20,6 +20,7 @@ import java.io.IOException; +import java.io.StringReader; import java.io.StringWriter; import java.io.Writer; import java.security.MessageDigest; @@ -36,6 +37,7 @@ import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.DirContext; +import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.UnavailableException; import javax.servlet.http.HttpServletRequest; @@ -57,6 +59,7 @@ import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; +import org.xml.sax.EntityResolver; import org.xml.sax.InputSource; import org.xml.sax.SAXException; @@ -245,6 +248,8 @@ documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setExpandEntityReferences(false); documentBuilder = documentBuilderFactory.newDocumentBuilder(); + documentBuilder.setEntityResolver( + new WebdavResolver(this.getServletContext())); } catch(ParserConfigurationException e) { throw new ServletException (sm.getString("webdavservlet.jaxpfailed")); @@ -2779,6 +2784,26 @@ } + // --------------------------------------------- WebdavResolver Inner Class + /** + * Work around for XML parsers that don't fully respect + * [EMAIL PROTECTED] DocumentBuilderFactory#setExpandEntityReferences(false)}. External + * references are filtered out for security reasons. See CVE-2007-5461. + */ + private class WebdavResolver implements EntityResolver { + private ServletContext context; + + public WebdavResolver(ServletContext theContext) { + context = theContext; + } + + public InputSource resolveEntity (String publicId, String systemId) { + context.log(sm.getString("webdavservlet.enternalEntityIgnored", + publicId, systemId)); + return new InputSource( + new StringReader("Ignored external entity")); + } + } }; [1] http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHGsHZb7IeiTPGAkMRApR0AJwN589C3UddiSIDJ3NRp16wEo9ueACbBanu H4Ys6YNInkmyph16Qy0Cbz4= =dUO/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]