tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Deny Put & Delete
Date Thu, 23 Jan 2014 16:59:28 GMT
Stephan Fletcher wrote:
> It's a third party that is running the scan.

On this list, please do not top-post.

Maybe another response :

There are regular reports on this list of similar "security scanners" which find what they

deem to be "security vulnerabilities".  Consult the list archives for more info.
It turns out that in about 99% of the cases, the problem is with the security scanner 
software, and not with any real vulnerability in Tomcat.

That explains the kind of responses that you have seen so far.
Such reports mostly cause a lot of worries and jumping around, to end up generally with 
nothing to really worry about, apart from time lost for everyone.
That's why people get jumpy at such posts.

If you are in the middle, there is not much you can do about it, except be confident 
enough to tell the originators of the report to please check their data, and explain why 
they think that there is a security issue.
If it turns out that there is a real security issue, explained in more detail than just 
claiming that there is one, it will be tackled with urgency by the Tomcat developers.


> 
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Thursday, January 23, 2014 10:05 AM
> To: Tomcat Users List
> Subject: Re: Deny Put & Delete
> 
> On 23/01/2014 14:57, Stephan Fletcher wrote:
>> Any help would be greatly appreciated
> 
> <rant>
> Buy a better vulnerability scanner. Specifically, one understands that an OPTIONS request
returns the methods that are *available* not the methods that are *permitted*.
> </rant>
> 
> Assuming you haven't changed Tomcat's default configuration any attempt to actually PUT
or DELETE a resource will be denied.
> 
> I have a recollection that we changed the implementation of the OPTIONS request to try
and help with this sort of thing. Scratch that. That was for TRACE which won't be included
in an OPTIONS response unless Tomcat can confirm that it has been explicitly enabled in the
Connector.
> 
> Mark
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ________________________________
> 
> Important Notice: This email is copyright of Bohrensmoving.com, and any files transmitted
with it are confidential and intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the individual named.
If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail from your system. If you are not the intended
recipient you are notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.
> 
> This email and any files transmitted with it are confidential and 
> 
> intended solely for the use of the individual or entity to whom they are
> 
> addressed. This footnote also confirms that this email message has been 
> 
> swept for the presence of computer viruses.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message