tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: How do I disable HTTP TRACE in Tomcat
Date Mon, 23 Jun 2003 00:53:17 GMT
In web.xml - use a security constraint to disallow trace.

It is similar to this:
http://jakarta.apache.org/tomcat/faq/security.html#https

-Tim

Peter M. Gerken wrote:
> Hi..
> 
> I'm using tomcat 4.1.24 and the sys admins found a potential security 
> hole by sending a HTTP TRACE. They told me I need to fix it by following 
> the instructions in the following URL:
> 
> http://www.kb.cert.org/vuls/id/867593
> 
> However, I'm not using the Apache HTTP Server, just Tomcat with it's 
> embedded server.  Is there anyway to disable a HTTP TRACE sent to tomcat?
> 
> Here's the test I need to fail...
> 
> telnet xxx.xxx.xxx.xxx 8080
> 
> type in "TRACE / HTTP/1.0"  and hit return twice... it shows...
> 
> 
> HTTP/1.1 200 OK
> Content-Type: message/http
> Content-Length: 18
> Date: Sun, 22 Jun 2003 22:52:24 GMT
> Server: Apache Coyote/1.0
> Connection: close
> 
> TRACE / HTTP/1.0
> 
> 
> I need it that to fail to get the sys admin's off my back.
> 
> Any help would much appreciated!
> 
> Thanks!!
> 
> Pete
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message