Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-22 Thread Mark Thomas
On 22/09/17 10:36, Maarten van Hulsentop wrote: > I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation. > The issue can indeed easily be reproduced on the default servlet by setting > the readonly property to false. After that, it is possible to PUT the jsp > and the GET reque

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-22 Thread Maarten van Hulsentop
Hello, Op wo 20 sep. 2017 om 09:27 schreef Mark Thomas : > On 19/09/17 14:10, Mark Thomas wrote: > > On 19/09/17 14:00, André Warnier (tomcat) wrote: > >> Hello. > >> > >> Did the issue below also affect the DAV application ? > > > > Yes, as the WebDAV servlet also processes HTTP PUT requests. >

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-20 Thread Mark Thomas
gt; And if yes, also only under Windows ? > > Yes. This is, as far as we can tell, Windows specific. > > HTH, > > Mark > > >> >> ---- Forwarded Message -------- >> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution >> via J

RE: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Thakur, Gulam (IBM)
- From: Mark Thomas [mailto:ma...@apache.org] Sent: 19 September 2017 14:10 To: Tomcat Users List Subject: Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload On 19/09/17 14:00, André Warnier (tomcat) wrote: > Hello. > > Did the issue below also affec

RE: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Thakur, Gulam (IBM)
: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload Hello. Did the issue below also affect the DAV application ? And if yes, also only under Windows ? Forwarded Message Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
s, also only under Windows ? Yes. This is, as far as we can tell, Windows specific. HTH, Mark > > Forwarded Message ---- > Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution > via JSP upload > Date: Tue, 19 Sep 2017 11:58:44 +0100 > From: Mark Th

Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread tomcat
Hello. Did the issue below also affect the DAV application ? And if yes, also only under Windows ? Forwarded Message Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload Date: Tue, 19 Sep 2017 11:58:44 +0100 From: Mark Thomas Reply-To: Tomcat

[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
The body of the original advisory referred to CVE-2017-7674. This was incorrect. It was a copy and paste error from a previous Tomcat advisory. The correct CVE reference is CVE-2017-12615, as per the subject line. On 19/09/17 11:58, Mark Thomas wrote: > CVE-2017-12615 Apache Tomcat Remote Code E

[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the