You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "William L. Thomson Jr." <wl...@gentoo.org> on 2007/10/23 04:15:37 UTC
Re: [Fwd: [Security] -
**Updated** Important vulnerability disclosed in Apache Tomcat webdav
servlet]
On Tue, 2007-10-23 at 00:39 +0100, Mark Thomas wrote:
> William L. Thomson Jr. wrote:
>
> > Mostly because
> > to my understanding one must be authorized in webdav or etc to be able
> > to exploit the vulnerability.
>
> To be clear, authorisation is not required for this vulnerability. Of
> course, if you open up write access without authorisation then you are
> taking on a whole bunch of other risks.
Thanks for the clarification.
This was misleading
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5461
This one is not as clear, but implies via remote authenticated users
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
Could be all are assuming no one in their right educated mind would open
write access up to the world. But ya never know :)
--
William L. Thomson Jr.
Gentoo/Java