-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please that an additional patch has been developed as a result of
further investigation.
A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure on 14-Oct-2007.[1]
The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.
In order to be affected systems must have:
- - one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- - enabled write capability via webdav
Note:
- - Tomcat 6.0.x has no webdav enabled contexts by default
- - Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default
Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.
The mitigations available are:
- - Disable write access until a fixed version is released
- - Limit write access to trusted users
- - Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x
Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
- --- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java (working
copy)
@@ -252,6 +252,7 @@
try {
documentBuilderFactory =
DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
+ documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder =
documentBuilderFactory.newDocumentBuilder();
} catch(ParserConfigurationException e) {
throw new ServletException
** Additional Path **
Index: org/apache/catalina/servlets/LocalStrings.properties
===================================================================
- --- org/apache/catalina/servlets/LocalStrings.properties (revision
586817)
+++ org/apache/catalina/servlets/LocalStrings.properties (working copy)
@@ -25,6 +25,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named
dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for
this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference
to an external entity with PublicID {0} and SystemID {1} which was ignored
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Index: org/apache/catalina/servlets/WebdavServlet.java
===================================================================
- --- org/apache/catalina/servlets/WebdavServlet.java (revision 586817)
+++ org/apache/catalina/servlets/WebdavServlet.java (working copy)
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -36,6 +37,7 @@
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -245,6 +248,8 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder =
documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(
+ new WebdavResolver(this.getServletContext()));
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
}
+ // --------------------------------------------- WebdavResolver
Inner Class
+ /**
+ * Work around for XML parsers that don't fully respect
+ * [EMAIL PROTECTED]
DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+ * references are filtered out for security reasons. See
CVE-2007-5461.
+ */
+ private class WebdavResolver implements EntityResolver {
+ private ServletContext context;
+
+ public WebdavResolver(ServletContext theContext) {
+ context = theContext;
+ }
+
+ public InputSource resolveEntity (String publicId, String
systemId) {
+
context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+ publicId, systemId));
+ return new InputSource(
+ new StringReader("Ignored external entity"));
+ }
+ }
};
[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html
- ---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHGsHZb7IeiTPGAkMRApR0AJwN589C3UddiSIDJ3NRp16wEo9ueACbBanu
H4Ys6YNInkmyph16Qy0Cbz4=
=dUO/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
