Thanks. On Fri, 18 Feb 2005, Tim Funk wrote:
> If readonly is set to true, then PUT and DELETE are disabled. The scanning > tool might be expecting a differnet HTTP status code when trying to exploit > PUT and DELETE. > > -Tim > > Ben Kim wrote: > > >>It should already be disabled. See the configuration of the DefaultServlet > >>in > >> $CATALINA_HOME/conf/web.xml > > > > > > I'd appreciate more advice. > > > > I've tested it myself and it didn't work. My nessus also says it could not > > exploit it but recommends I disable it. > > > > Here's my DefaultServlet section, all surrounded by <!-- --> line by line, > > from the $CATALINA_HOME/conf/web.xml. > > > > Am I right to interpret this as saying that "readonly" is [true] by > > default (hence commented out) for DefaultServlet, so that any DELETE or > > PUT attempt is rejected? > > > > =================================================================== > > > > The default servlet for all web applications, that serves static > > servlets with servlet mappings (defined either here or in your own > > web.xml file. This servlet supports the following initialization > > parameters (default values are in square brackets): > > ... > > readonly Is this context "read only", so HTTP commands like PUT and > > DELETE are rejected? [true] > > > > ==================================================================== > > > > So, could I say it's been already disabled in 5.0.28 and nessus's finding > > is wrong? > > > > I need to either correct this problem, or submit an explanation of why it > > is not necessary, to my security folks, so would appreciate some kind of > > confirmation from anyone knowledgeable. > > > > > > Thanks, > > > > Ben Kim > > Database Developer/Systems Administrator > > 434E Harrington Tower / College of Education > > Texas A&M University > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Regards, Ben Kim Database Developer/Systems Administrator 434E Harrington Tower / College of Education Texas A&M University --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
