tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Date Sun, 11 Jan 2004 02:28:43 GMT

----- Original Message ----- 
From: "Remy Maucherat" <remm@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Saturday, January 10, 2004 5:24 AM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability


> Remy Maucherat wrote:
> > Bill Barker wrote:
> >
> >> I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
> >> security-constraint in the ROOT web.xml) and Tomcat happily returned a
> >> 403
> >> response.
> >
> > I don't care about this lame XSS bug. However, what you describe doesn't
> > work for me.
>
> There are two issues that I can see:
> - if there's no auth-constraint, then it just passes through (I think it
> should instead return a 403 right away)

No, that's what the servlet-spec says should happen.

> - if there's no login config, then it also just passes through (I think
> it should instead return a 403 right away)

I think this is a problem with the deployment (i.e. Tomcat doesn't regisiter
an Autheniticator if it doesn't know which one to use).

>
> Those are likely regressions after the rewrite of the algorithm, but
> it's good to find them before a release :)
>
> The idea is to fix the "vulnerability" by adding in conf/web.xml:
>    <!-- ======================= Disable TRACE by default
> =================== -->
>
>    <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>DisableExploitTraceHTTP</web-resource-name>
>         <url-pattern>/*</url-pattern>
>         <http-method>TRACE</http-method>
>      </web-resource-collection>
>    </security-constraint>
>
> I'll do a quick bench to see if it hurts performance, just in case (I
> think it doesn't as the matching is efficient).
>
> Rémy
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


Mime
View raw message