tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Date Sun, 11 Jan 2004 02:56:09 GMT

----- Original Message ----- 
From: "Bill Barker" <wbarker@wilshire.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Saturday, January 10, 2004 6:28 PM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability


>
> ----- Original Message ----- 
> From: "Remy Maucherat" <remm@apache.org>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Saturday, January 10, 2004 5:24 AM
> Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
>
>
> > Remy Maucherat wrote:
> > > Bill Barker wrote:
> > >
> > >> I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
> > >> security-constraint in the ROOT web.xml) and Tomcat happily returned
a
> > >> 403
> > >> response.
> > >
> > > I don't care about this lame XSS bug. However, what you describe
doesn't
> > > work for me.
> >
> > There are two issues that I can see:
> > - if there's no auth-constraint, then it just passes through (I think it
> > should instead return a 403 right away)
>
> No, that's what the servlet-spec says should happen.
>
> > - if there's no login config, then it also just passes through (I think
> > it should instead return a 403 right away)
>
> I think this is a problem with the deployment (i.e. Tomcat doesn't
regisiter
> an Autheniticator if it doesn't know which one to use).

Ok, this isn't right.  Tomcat defaults to NonLoginAuthenticator if there is
no login-config.  This one just approves everybody for everything.

>
> >
> > Those are likely regressions after the rewrite of the algorithm, but
> > it's good to find them before a release :)
> >
> > The idea is to fix the "vulnerability" by adding in conf/web.xml:
> >    <!-- ======================= Disable TRACE by default
> > =================== -->
> >
> >    <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>DisableExploitTraceHTTP</web-resource-name>
> >         <url-pattern>/*</url-pattern>
> >         <http-method>TRACE</http-method>
> >      </web-resource-collection>
> >    </security-constraint>
> >
> > I'll do a quick bench to see if it hurts performance, just in case (I
> > think it doesn't as the matching is efficient).
> >
> > Rémy
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> >
>
>


----------------------------------------------------------------------------
----


>
> This message is intended only for the use of the person(s) listed above as
the intended recipient(s), and may contain information that is PRIVILEGED
and CONFIDENTIAL.  If you are not an intended recipient, you may not read,
copy, or distribute this message or any attachment. If you received this
communication in error, please notify us immediately by e-mail and then
delete all copies of this message and any attachments.
>
> In addition you should be aware that ordinary (unencrypted) e-mail sent
through the Internet is not secure. Do not send confidential or sensitive
information, such as social security numbers, account numbers, personal
identification numbers and passwords, to us via ordinary (unencrypted)
e-mail.
>
>


----------------------------------------------------------------------------
----


> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message