step by step: demonstrate blocked http-method DELETE request?
Can someone show in a step by step way for standalone tomcat: 1. how to show that a DELETE vulnerability exists in tomcat using a telnet session for a sample file, let's say index.html 2. how to block the vulnerability by modifying web.xml 3. what telnet will show once the vulnerability has been blocked Bill, I've tried your latest suggestions but really have not seen any differences when I try to test them. My vulnerability scanner still shows DELETE and PUT being vulnerable. Thanks
Re: How to disable PUT, DELETE http methods etc if not using container managed security?
Thanks Bill but I'm not sure it's working. Per your suggestion here's what I have now: security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern http-methodHEAD/http-method http-methodPUT/http-method http-methodDELETE/http-method http-methodTRACE/http-method http-methodOPTIONS/http-method /web-resource-collection auth-constraint / /security-constraint security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern /web-resource-collection !-- auth-constraint goes here if you requre authentication -- user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint But, how do I verify that PUT's and DELETE's are blocked now? My vulnerability scanner still shows them as open: It seems that the PUT method is enabled on your web server Although we could not exploit this, you'd better disable it Solution : disable this method Risk factor : High BID : 12141 If I try to delete index.jsp through a telnet session: DELETE /index.jsp HTTP/1.1 I get this as a response: HTTP/1.1 400 Bad Request What's a good way to verify that DELETE is blocked? Can someone give a definitive test? Thanks - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Saturday, February 26, 2005 3:33 PM Subject: Re: How to disable PUT, DELETE http methods etc if not using container managed security? For TC 5.x.x, you need two security-constraints to do what you want. One of them looks like your first example, and the other like your second example (except that you probably want auth-constraint /, which is deny all, instead of role-name/ which is deny to all but the blank role). Since you are forbidding all access, you could also drop the user-data-constraint on the second one (since with it, TC will first redirect a PUT to SSL, and then deny it). Ted Anagnost [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is there a way to prevent PUT or DELETE http methods if you're not using container managed security? If so, how? I already have this to force the use of https: security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern /web-resource-collection !-- auth-constraint goes here if you requre authentication -- user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint What changes are needed? I tried this but it didn't seem to work: security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern http-methodHEAD/http-method -- http-methodPUT/http-method -- http-methodDELETE/http-method -- http-methodTRACE/http-method-- http-methodOPTIONS/http-method -- /web-resource-collection auth-constraint role-name/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Inserting these statements seems to turn off the automatic enforcement of https which was achieved with the first version. Any ideas? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to disable PUT, DELETE http methods etc if not using container managed security?
Is there a way to prevent PUT or DELETE http methods if you're not using container managed security? If so, how? I already have this to force the use of https: security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern /web-resource-collection !-- auth-constraint goes here if you requre authentication -- user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint What changes are needed? I tried this but it didn't seem to work: security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern http-methodHEAD/http-method -- http-methodPUT/http-method-- http-methodDELETE/http-method -- http-methodTRACE/http-method-- http-methodOPTIONS/http-method -- /web-resource-collection auth-constraint role-name/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Inserting these statements seems to turn off the automatic enforcement of https which was achieved with the first version. Any ideas? Thanks
Blank Page when using http://192.168.1.100/
http://localhost/ works http://127.0.0.1/ works http://192.168.1.100/mysite/ works 192.168.1.100 is my internal IP http://192.168.1.100/ displays a BLANK PAGE 1. Why does it display a blank page when using http://192.168.1.100/ 2. What is the proper way to make all of these redirect to 'mysite'? Tomcat 5.0.28 server.xml has: Host name=localhost debug=0 appBase=webapps ... Alias192.168.1.100/Alias Alias127.0.0.1/Alias /Host
Re: Blank Page when using http://192.168.1.100/
Yes - Original Message - From: Mark Benussi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 1:34 AM Subject: RE: Blank Page when using http://192.168.1.100/ Are you using a router? Original Message Follows From: Ted Anagnost [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Blank Page when using http://192.168.1.100/ Date: Wed, 1 Dec 2004 00:26:51 -0600 http://localhost/ works http://127.0.0.1/ works http://192.168.1.100/mysite/ works 192.168.1.100 is my internal IP http://192.168.1.100/ displays a BLANK PAGE 1. Why does it display a blank page when using http://192.168.1.100/ 2. What is the proper way to make all of these redirect to 'mysite'? Tomcat 5.0.28 server.xml has: Host name=localhost debug=0 appBase=webapps ... Alias192.168.1.100/Alias Alias127.0.0.1/Alias /Host - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: http://localhost/ works but http://ip address/ doesn't
Hello Christopher, I changed tomcat to use port=80 and http://192.168.1.100/ works but http://ip address/ still does not work. What do you suggest? Thanks, Ted - Original Message - From: Christopher Watson [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 AM Subject: RE: http://localhost/ works but http://ip address/ doesn't Doug. Is your tomcat on port 80 or port 8080 ... You say If I try http://192.168.1.100:8080/, it works. Does http://192.168.1.100/ (i.e. default http port 80 equivalent to http://192.168.1.100:80/) work ? If both the above work, what is at port 80? IIS ? Apache? and what are you using to 'route' between post 80 and port 8080? Is that configured OK to work with your public IP address? If there's not 'routing' between 80 and 8080 Then, does http://thepublicipaddress:8080/ work - (this may well have been stopped by the isp's firewall). If it does, you may want to start tomcat on port 80 ?? Look in conf/server.xml for line that starts Connector port=8080 and change it to Connector port=80 Hope this helps. Christopher -Original Message- From: Ted Anagnost [mailto:[EMAIL PROTECTED] Sent: 24 March 2004 08:58 To: Tomcat Users List Subject: Re: http://localhost/ works but http://ip address/ doesn't Hello Doug, Last thing first. I did find you can set the IP with address=??? in the server.xml. Check for this. Unless you have a specific need to you can remove it. It's not there. Another thing is I tried to ping the computer again from a different external computer and got back no response. The first ping attempt was actually from a Linksys support person who said ping worked but I can't verify that personally of course. I can send you my IP in email if you're willing to try that too (what email address?). Now in case that is not the issue: Sitting at you windows box that is running TC you can open IE and access http://localhost but if you try to access http://yourMachinesIP it fails. Right You keep mentioning the linksys, so I have to ask, are you trying to use the actual IP of you machine (192.168.1.100) or the public IP assigned to the Internet side of the Linksys (assuming it is connected to the Internet)? The public IP. If I try http://192.168.1.100:8080/, it works. From a command prompt ping localhost. Then ping the IP of your machine. Both return a response. I'm using the Linksys router BEFSR41 with port forwarding enabled for port 80. Notice that localhost resolves to 127.0.0.? Do an ipconfig /all from the command promrt. Confirm the IP of your machine. This shows 192.168.1.100 as the IP for my machine. Are you running ANY firewall software? Disable it on a temporary basis to test. Not sure how to cleanly disable the Linksys firewall protection. Then configure it to allow http port 80 traffic through. Port forwarding is enabled for port 80 (http). There are primarily three cases that can happen with your setup: 1. Call http://localhost-- no response Call http://machineIP-- no response Call http://publicIP-- no response Tomcat is not running. Firewall on machine is blocking all IP traffic(rare but can happen). TCP/IP stack is corrupt. Since localhost works this is not the issue with yours. 2. Call http://localhost-- response Call http://machineIP-- no response Call http://publicIP-- no response Tomcat is misconfigured. Address setting for IP other than machine IP. Firewall is enabled/running on machine(not external unit). 3. Call http://localhost-- response Call http://machineIP-- response Call http://publicIP-- no response External firewall is misconfigured. Machine firewall is misconfigured. (Some firewalls treat requests to yourself as localhost and do not filter them. Try accessing http:/machineIP from another machine on the network if available.) Confirm which category you fall into. Then check the items listed. Looks like I fall into category 3. Unfortunately, I don't have another computer on the network to try your test. Is there some software that may help to test this similarly? What version of windows are you running? Windows XP, Service Pack 1. If 2000 or higher go into network connection properties and select the Ethernet adapter that is connected to your linksys. Click on the advanced tab and confirm that the box beside firewall is NOT checked. The box was not checked. Also, there's an Internet Connection network connection of type Internet Gateway that shows some services that you can enable
Re: http://localhost/ works but http://ip address/ doesn't
Hello Doug, Last thing first. I did find you can set the IP with address=??? in the server.xml. Check for this. Unless you have a specific need to you can remove it. It's not there. Another thing is I tried to ping the computer again from a different external computer and got back no response. The first ping attempt was actually from a Linksys support person who said ping worked but I can't verify that personally of course. I can send you my IP in email if you're willing to try that too (what email address?). Now in case that is not the issue: Sitting at you windows box that is running TC you can open IE and access http://localhost but if you try to access http://yourMachinesIP it fails. Right You keep mentioning the linksys, so I have to ask, are you trying to use the actual IP of you machine (192.168.1.100) or the public IP assigned to the Internet side of the Linksys (assuming it is connected to the Internet)? The public IP. If I try http://192.168.1.100:8080/, it works. From a command prompt ping localhost. Then ping the IP of your machine. Both return a response. I'm using the Linksys router BEFSR41 with port forwarding enabled for port 80. Notice that localhost resolves to 127.0.0.? Do an ipconfig /all from the command promrt. Confirm the IP of your machine. This shows 192.168.1.100 as the IP for my machine. Are you running ANY firewall software? Disable it on a temporary basis to test. Not sure how to cleanly disable the Linksys firewall protection. Then configure it to allow http port 80 traffic through. Port forwarding is enabled for port 80 (http). There are primarily three cases that can happen with your setup: 1. Call http://localhost-- no response Call http://machineIP-- no response Call http://publicIP-- no response Tomcat is not running. Firewall on machine is blocking all IP traffic(rare but can happen). TCP/IP stack is corrupt. Since localhost works this is not the issue with yours. 2. Call http://localhost-- response Call http://machineIP-- no response Call http://publicIP-- no response Tomcat is misconfigured. Address setting for IP other than machine IP. Firewall is enabled/running on machine(not external unit). 3. Call http://localhost-- response Call http://machineIP-- response Call http://publicIP-- no response External firewall is misconfigured. Machine firewall is misconfigured. (Some firewalls treat requests to yourself as localhost and do not filter them. Try accessing http:/machineIP from another machine on the network if available.) Confirm which category you fall into. Then check the items listed. Looks like I fall into category 3. Unfortunately, I don't have another computer on the network to try your test. Is there some software that may help to test this similarly? What version of windows are you running? Windows XP, Service Pack 1. If 2000 or higher go into network connection properties and select the Ethernet adapter that is connected to your linksys. Click on the advanced tab and confirm that the box beside firewall is NOT checked. The box was not checked. Also, there's an Internet Connection network connection of type Internet Gateway that shows some services that you can enable Internet users to access. For that, http is unselected. If I select it, and select edit, it has the following fields and values: Field: Name or IP address of the computer hosting this service on the network Value: 192.168.1.0 Field: External port number for this service Value: 80 Field: Internal port number for this service Value: 80 I tried playing around with the settings here but I'm not sure what to use. (none of them worked) If you are category three and the machine firewall is off then you have a problem with your Linksys. Just to confirm the wiring, I have: outside cable cable modem --- linksys router --- computer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: http://localhost/ works but http://ip address/ doesn't
Hello Doug, Sitting at you windows box that is running TC you can open IE and access http://localhost but if you try to access http://yourMachinesIP it fails. Right From a command prompt ping localhost. Then ping the IP of your machine. Both return a response. I'm using the Linksys router BEFSR41 with port forwarding enabled for port 80. Notice that localhost resolves to 127.0.0.? Do an ipconfig /all from the command promrt. Confirm the IP of your machine. This shows 192.168.1.100 as the IP for my machine. Are you running ANY firewall software? Disable it on a temporary basis to test. Not sure how to cleanly disable the Linksys firewall protection. Then configure it to allow http port 80 traffic through. Port forwarding is enabled for port 80 (http). What else? I am not aware of any setting that binds tomcat to an IP like apache can. Although you can filter on an IP. Doug www.parsonstechnical.com - Original Message - From: Ted Anagnost [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 3:36 AM Subject: http://localhost/ works but http://ip address/ doesn't http://localhost/ works but http://ip address/ doesn't. Internet Explorer gives a Cannot find server message. I have tomcat 5.0.18 (without apache). I can ping my IP externally. I have port forwarding enabled on my router. Is there something I need to do to server.xml to enable this to work? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
http://localhost/ works but http://ip address/ doesn't
http://localhost/ works but http://ip address/ doesn't. Internet Explorer gives a Cannot find server message. I have tomcat 5.0.18 (without apache). I can ping my IP externally. I have port forwarding enabled on my router. Is there something I need to do to server.xml to enable this to work? Thanks