You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by "William L. Thomson Jr." <wl...@gentoo.org> on 2007/10/23 04:15:37 UTC

Re: [Fwd: [Security] - Updated Important vulnerability disclosed in Apache Tomcat webdav servlet]

On Tue, 2007-10-23 at 00:39 +0100, Mark Thomas wrote:
> William L. Thomson Jr. wrote:
> 
> > Mostly because
> > to my understanding one must be authorized in webdav or etc to be able
> > to exploit the vulnerability.
> 
> To be clear, authorisation is not required for this vulnerability. Of
> course, if you open up write access without authorisation then you are
> taking on a whole bunch of other risks.

Thanks for the clarification.

This was misleading
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5461

This one is not as clear, but implies via remote authenticated users
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461

Could be all are assuming no one in their right educated mind would open
write access up to the world. But ya never know :)

-- 
William L. Thomson Jr.
Gentoo/Java

Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]

Re: [Fwd: [Security] - Updated Important vulnerability disclosed in Apache Tomcat webdav servlet]