SECURITY BUG: No place to disable HTTP TRACE vulnerability

Google

Mailing List

Home

Forum Home

JBoss - Java Application Server

Struts - A MVC web framework

Tomcat - JSP/Servlet container

iText - An open source PDF Java Library

JDOM - JDOM XML Parser

J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition

J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog

Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology

JSP - A mailing list about Java Server Pages specification and reference

Struts & Hibernate

Subjects

•	JSP editor plugin for eclipse ?
•	org apache jasper JasperException: Unable to compile class for JSP
•	Tomcat: Connection reset by peer: socket write error
•	Cannot retrieve definition for form bean null
•	Struts Tiles Tutorial (free Struts training)
•	Where do I download Tomcat 4 0 6?
•	Data Access Object (DAO) pattern, example DAO 's
•	Where to download Tomcat v 4 1 24 from?
•	Tomcat 5 0 16 Requested resource not available
•	Oracle Connection Pooling in 3 2 2
•	Servlet : Session invalidate
•	Servlet action is currently unavailable
•	Tomcat/Struts Unicode Encoding/Decoding problems
•	Tomcat and webapplication specific java library path
•	Running a Simple JMS Example
•	Mapping in workers2 properties
•	org apache jasper JasperException
•	Cannot find message resources under key org apache struts action MESSAGE
•	problem with html:text bean throwing exception
•	Cannot find message resources under key org apache struts action MESSAGE
•	invalid direct reference problem with solution
•	Tool for jsp debug Try Sysdeo Eclipse Plugin
•	Tomcat 5 Cannot load JDBC driver class 'null ' SQL state: null
•	weblogic ejbc
•	java properties file
•	Jboss 3 2 3 Coyote Can 't re
•	Tomcat 5, Apache2 and mod jk2 integration problem
•	JBoss example problem new to J2EE
•	url string for connecting jboss to oracle
•	Value attribute of <html:checkbox
•	javax servlet ServletException: BeanUtils populate
•	HTTP Status 404 The requested resource is not available
•	5 0 18: Windows XP Pro vs Windows 2000

SECURITY BUG: No place to disable HTTP TRACE vulnerability

SECURITY BUG: No place to disable HTTP TRACE vulnerability

2004-01-09 - By Shapira, Yoav

Back

Reply: 1 2 3 4 5 6

Howdy,

>There does not appear to be any place in Tomcat to disable the HTTP
TRACE.
>This is a well known vulnerability that affects most servers and is
>consistently used by hackers to gather information useful for their
>attacks.

This is discussed here, as you've noted:
http://marc.theaimsgroup.com/?l=tomcat-user&m5632353125969&w=2

Having applied the security constraint, did you try exploiting TRACE or
did you just run your security analysis tool?

>Is there a formal URL for reporting Tomcat bugs?

This is the place.

>In the past I have detected other bugs, posted them on this list and
>received no replies whatsoever.

Perhaps that's because no one cares? Especially if a fix is known, as
it is for this issue.

>I searched the web for solutions, and I found only the following
useless
>"solutions":

Or perhaps it's because people don't care to respond when the original
post uses such an offensive tone ;)

Yoav Shapira

This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential, proprietary
and/or privileged. This e-mail is intended only for the individual(s) to whom
it is addressed, and may not be saved, copied, printed, disclosed or used by
anyone else. If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender. Thank you.

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)