DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39396>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39396 Summary: OPTIONS request on directory with no default file reports an incorrect list of allowed HTTP verbs Product: Tomcat 5 Version: 5.5.9 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Connector:Coyote AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] When an "options" http request is made to Tomcat to a directory that has no default file (like index.jsp) in it, Tomcat reports a full list of allowed verbs, when in fact, most of them are NOT allowed. For example, a request to a generic img directory: OPTIONS /img/ HTTP/1.0 Cookie: JSESSIONID=C46C2E18BE95AD91828C9370CBDF0AF2 Content-Length: 0 Accept: */* Accept-Language: en-us Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1 4322; InfoPath.1) Returns: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS Content-Length: 0 Date: Mon, 24 Apr 2006 15:11:16 GMT Connection: close Which shows several destructive options available (PUT, DELETE). But a request to DELETE or PUT (correctly) returns a 403 FORBIDDEN result: DELETE /img/ HTTP/1.0 Cookie: JSESSIONID=C46C2E18BE95AD91828C9370CBDF0AF2 Content-Length: 0 Accept: */* Accept-Language: en-us Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1 4322; InfoPath.1) Returns: HTTP/1.1 403 Forbidden Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 964 Date: Mon, 24 Apr 2006 15:12:31 GMT Connection: close Because the initial OPTIONS request returns a list containing dangerous verbs, the directory will be flagged as a serious security vulnerability by most scanners (a false positive). The issue DOES NOT occur when the directory HAS a default file in it: OPTIONS /user_management/ HTTP/1.0 Cookie: JSESSIONID=C46C2E18BE95AD91828C9370CBDF0AF2 Content-Length: 0 Accept: */* Accept-Language: en-us Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1 4322; InfoPath.1) Returns: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=BC992F0C86E2BCBD0A2E5F1B3A12C50C; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Mon, 24 Apr 2006 15:14:27 GMT Connection: close -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
