tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: allowTrace="false" allowing Trace Method
Date Thu, 14 Jan 2010 12:11:57 GMT
On 14/01/2010 11:16, iainmac wrote:
>
> Sorry, not sure what you want an example of, and not sure what you mean when
> you ask what connectors I am using (not really an expert)

The Connectors are defined in the server.xml file.  Either HTTP or AJP, 
it should be clear which.


> Using Tomcat 5.0.16.

Tomcat 5.0 is now unsupported, you should upgrade to (at least) the 
latest 5.5 at the first opportunity.

Version .16 is old, there have been many bug fixes since it was released 
and probably a couple of security issues fixed too.


p



> My workaround did pass the security scan.  Strangely I had the same version
> of Tomcat on a different box where the allowTrace="false" did what it was
> supposed to.  I was flummoxed when it didn't work n the new box.
>
> Iain
>
>
> Christopher Schultz-2 wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Ian,
>>
>> On 1/13/2010 12:37 PM, iainmac wrote:
>>> I need to disable TRACE to pass a security scan, so I added
>>> allowTrace="false" to all my connectors, but its still allowing TRACE!
>>
>> Can you give us an example?
>>
>> Recently, someone complained that the JSPServlet will allow /any/ HTTP
>> method, even methods that are not defined like:
>>
>> FOO /path/to/my.jsp HTTP/1.1
>>
>> Teh FOO method ist allowed!!111!!!ELEVEN!!
>>
>> For whatever reason, the JSPServlet specifically allows any method,
>> including TRACE.
>>
>> I've never used allowTrace="false", though it /is/ the default.
>>
>>> I had to work around with urlrewrite and a jsp with 1 line which was
>>> response.sendError(response.SC_NOT_IMPLEMENTED , "NOT IMPLEMENTED");
>>
>> And does this pass your security audit?
>>
>>> However I would prefer the allowTrace="false" to work properly!
>>
>> Agreed, though the documentation doesn't state what happens when
>> allowTrace="true" versus allowTrace="false": it just says "enabled or
>> disables the TRACE method" without describing the expected behavior.
>>
>>> Any ideas as to why its not working?
>>
>> Not without looking at the code. You are welcome to check it out. Which
>> connector(s) are you using? What version of Tomcat are you running?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAktOK8AACgkQ9CaO5/Lv0PAYowCeIjb1OC3GuXl2FkrYUknvOPBP
>> aV0AmwdVlFQSfuSONNlgu0ga04/Qq82Z
>> =8Ku1
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message