Bill Barker wrote:
Bill Barker wrote:
Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there
is
no login-config. This one just approves everybody for everything.
Ok. This isn't absolutely critical, but needs to be fixed.
I just tested this with a fresh build of everything, and
Bill Barker wrote:
Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there is
no login-config. This one just approves everybody for everything.
Ok. This isn't absolutely critical, but needs to be fixed.
Rémy
-
- Original Message -
From: Remy Maucherat [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Sunday, January 11, 2004 1:18 AM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Bill Barker wrote:
Ok, this isn't right. Tomcat defaults
Remy Maucherat wrote:
Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned a
403
response.
I don't care about this lame XSS bug. However, what you describe doesn't
work for me.
There are two
Remy Maucherat wrote:
Remy Maucherat wrote:
Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned
a 403
response.
I don't care about this lame XSS bug. However, what you describe
doesn't
- Original Message -
From: Remy Maucherat [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Saturday, January 10, 2004 5:24 AM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Remy Maucherat wrote:
Bill Barker wrote:
I just tried
- Original Message -
From: Bill Barker [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Saturday, January 10, 2004 6:28 PM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
- Original Message -
From: Remy Maucherat [EMAIL PROTECTED