On 22/09/17 10:36, Maarten van Hulsentop wrote: > I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation. > The issue can indeed easily be reproduced on the default servlet by setting > the readonly property to false. After that, it is possible to PUT the jsp > and the GET request will execute. > > When i change the default servlet to be the WebDAV servlet, it can not > longer PUT the JSP because of 409 errors. > Adjusting the servlet mapping from / to /* resolves the 409. But doing so > seems to prevent the JSP execution; the GET request will just yield the > contents of the JSP. > What do i need to do to get it reproduced for the WebDAV servlet as well? > Or is this a theoretical thing and can we consider the WebDAV servlet > configured in scenario 3 as not vulnerable in the real world?
I haven't seen a PoC for exploiting this via Tomcat's WebDAV implementation. The original advisory was based on an understanding of the Default servlet PoC and a quick look at Tomcat's WebDAV code. A closer inspection shows that the Default servlet PoC won't work with Tomcat's WebDAV implementation. It looks to be unlikely that Tomcat's WebDAV implementation is exploitable but as far as I am aware there hasn't been a great deal of investigation in that direction. At this point it seems prudent to assume that WebDAV could be vulnerable and mitigate accordingly. > Does this > also apply for individual web applications configuring a similar web.xml or > is it only reproducable on the global default servlet? CVE-2017-12615 applies in either of the above scenarios. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
