Running Nessus against our server (Debian Woody + standalone Tomcat 5.0.18)
produces a security warning that the PUT and DELETE http methods are enabled
in Tomcat. Although these warning were not exploitable, I really need to
ensure that these 2 methods are completely disabled.
I've spent a good while looking into this, and this is where I'm at so far -
I've placed the following in $CATALINA_HOME/conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
</security-constraint>
I was under the impression that by not including a <role-name> value, then
all PUT and DELETE method requests are disabled since the security
constraint cannot be linked to a role. However, the fact that it doesn't
work yet means I'm doing something wrong somewhere!
Any guidance is very much appreciated.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
