Bug 333791 (CVE-2007-5461)

Description:

Absolute path traversal vulnerability in Apache Tomcat, under certain
configurations, allows remote authenticated users to read arbitrary
files via a WebDAV write request that specifies an entity with a
SYSTEM tag.

Mail from Mark Thomas (Apache.org): 

A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full disclosure yesterday, 14-Oct-2007.[1]

The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.

In order to be affected systems must have:
- one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- enabled write capability via webdav

Note:
- Tomcat 6.0.x has no webdav enabled contexts by default
- Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default

Systems with write-enabled webdav contexts are exposed to this
vulnerability which, for such systems, is critical.

Mitigations available are:
- Disable write access until a fixed version is available
- Limit write access to trusted users
- Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x

Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java	(working
copy)
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory =
DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder =
documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException

[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html