Hello, Op wo 20 sep. 2017 om 09:27 schreef Mark Thomas <ma...@apache.org>:
> On 19/09/17 14:10, Mark Thomas wrote: > > On 19/09/17 14:00, André Warnier (tomcat) wrote: > >> Hello. > >> > >> Did the issue below also affect the DAV application ? > > > > Yes, as the WebDAV servlet also processes HTTP PUT requests. > > > > The WebDAV servlet extends the Default servlet so they actually share > > the implementation. > > Thinking about this a little more, it will depend on how the WebDAV > servlet is mapped. While there is a configuration where this would be an > issue for WebDAV, I don't think it is one that would normally be used. > > I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation. The issue can indeed easily be reproduced on the default servlet by setting the readonly property to false. After that, it is possible to PUT the jsp and the GET request will execute. When i change the default servlet to be the WebDAV servlet, it can not longer PUT the JSP because of 409 errors. Adjusting the servlet mapping from / to /* resolves the 409. But doing so seems to prevent the JSP execution; the GET request will just yield the contents of the JSP. What do i need to do to get it reproduced for the WebDAV servlet as well? Or is this a theoretical thing and can we consider the WebDAV servlet configured in scenario 3 as not vulnerable in the real world? Does this also apply for individual web applications configuring a similar web.xml or is it only reproducable on the global default servlet? For clarity, my scenarios are; 1. == Default servlet reproduction - [fresh installation Tomcat 7.0.78] - Modify [tomcat]/conf/web.xml, add <init-param><param-name>readonly</param-name><param-value>false</param-value></init-param> to <servlet-name>default</servlet-name> - PUT possible - GET executes JSP -> vulnerable! 2. == WebDAV servlet reproduction with mapping on '/' - [fresh installation Tomcat 7.0.78] - Modify [tomcat]/conf/web.xml, change to <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class> for <servlet-name>default</servlet-name> - Modify [tomcat]/conf/web.xml, add <init-param><param-name>readonly</param-name><param-value>false</param-value></init-param> to <servlet-name>default</servlet-name> - PUT fails with 409 message -> not vulnerable? 3. == WebDAV servlet reproduction with mapping on '/*' - [fresh installation Tomcat 7.0.78] - Modify [tomcat]/conf/web.xml, change to <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class> for <servlet-name>default</servlet-name> - Modify [tomcat]/conf/web.xml, add <init-param><param-name>readonly</param-name><param-value>false</param-value></init-param> to <servlet-name>default</servlet-name> - Modify [tomcat]/conf/web.xml, change url pattern <url-pattern>/</url-pattern> to <url-pattern>/*</url-pattern> (for <servlet-name>default</servlet-name>) - PUT possible - GET retrieves the content for the JSP -> not vulnerable right now? Thank you for your feedback, Regards, Maarten van Hulsentop
