Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 90390 invoked from network); 11 Sep 2003 16:35:43 -0000 Received: from unknown (HELO corpw2kds01.oshtruck.com) (12.37.1.125) by daedalus.apache.org with SMTP; 11 Sep 2003 16:35:43 -0000 Subject: TRACE/TRACK methods To: tomcat-user@jakarta.apache.org X-Mailer: Lotus Notes Release 5.0.12 February 13, 2003 Message-ID: From: "Mark Lenz" Date: Thu, 11 Sep 2003 11:37:12 -0500 X-MIMETrack: Serialize by Router on CorpW2KDS01/Hub(Release 5.0.10 |March 22, 2002) at 09/11/2003 11:36:18 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Our company conducted a security audit and Tomcat was reported as supporting TRACE and TRACK. It said, "It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers." I have been assigned the task of turning off this support, but I have searched Google, tomcat-user archives and the Tomcat documentation to no avail. Does anyone know how to disable these methods? Thanks. Mark Lenz Software Engineer Control Systems Group Pierce Manufacturing, Inc. (920) 832-3523 mlenz@piercemfg.com The information contained in this electronic mail message is confidential information and intended only for the use of the individual or entity named above, and may be privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, please contact the sender immediately, delete this material from your computer and destroy all related paper media. Please note that the documents transmitted are not intended to be binding until a hard copy has been manually signed by all parties. Thank you.