Re: HTTP trace
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html See the allowTrace option -Tim Wilding, Gregory wrote: Does anybody know how to disable HTTP trace within Tomcat Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
HTTP trace
Does anybody know how to disable HTTP trace within Tomcat Thanks > Gregory Wilding > EDS Business Exchange Services > Abney Park > Manchester Road > Cheadle > Cheshire SK8 2PD > Tel +44 (0) 161 495 3488 > Fax +44(0) 161 428 5009 > <mailto:[EMAIL PROTECTED]> > >
How to Disabling HTTP Trace on Tomcat 4.1.30
Hello all, After scanning our TOMCAT 4.1.30 server for vulnerabilities, the report came back with HTTP TRACE as being a MEDIUM level vulnerability. Is there a way to disable HTTP TRACE on Tomcat 4.1.30? Thanks in advance!
Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Bill Barker wrote: I just tried this with the CVS HEAD of Tomcat 5 (after putting in a security-constraint in the ROOT web.xml) and Tomcat happily returned a 403 response. I don't care about this lame XSS bug. However, what you describe doesn't work for me. -- x Rémy Maucherat Senior Developer & Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
> From what I am told, the other application servers used in our company all have a configuration-driven way to disable the > TRACE HTTP. My project is the first one to try to use Tomcat as a "real" server. The only workaround (and a recomended thing to do, anyway) is to use Apache as a front-end. Apache's security should kick in before it passes request to Tomcat via mod_jk2. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a security-constraint in the ROOT web.xml) and Tomcat happily returned a 403 response. <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Yoav, This was detected both before and after applying the "fix" snippet to web.xml, by both the security analysis tool and by typing "TRACE / HTTP/1.0" and hitting return twice on a telnet session. I am not familiar with the analysis tool used by our security team, but I know it is supposed to be the strongest tool in the market for detecting web-site vulnerabilities. It is possible that other tools don't detect this vulnerability yet and that is why most people aren't worrying about it. >From what I am told, the other application servers used in our company all have a configuration-driven way to disable the TRACE HTTP. My project is the first one to try to use Tomcat as a "real" server. bruno - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Yoav, This was detected both before and after applying the "fix" snippet to web.xml, by both the security analysis tool and by typing "TRACE / HTTP/1.0" and hitting return twice on a telnet session. I am not familiar with the analysis tool used by our security team, but I know it is supposed to be the strongest tool in the market for detecting web-site vulnerabilities. It is possible that other tools don't detect this vulnerability yet and that is why most people aren't worrying about it. >From what I am told, the other application servers used in our company all have a >configuration-driven way to disable the TRACE HTTP. My project is the first one to >try to use Tomcat as a "real" server. bruno - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Howdy, >There does not appear to be any place in Tomcat to disable the HTTP TRACE. >This is a well known vulnerability that affects most servers and is >consistently used by hackers to gather information useful for their >attacks. This is discussed here, as you've noted: http://marc.theaimsgroup.com/?l=tomcat-user&m=105632353125969&w=2 Having applied the security constraint, did you try exploiting TRACE or did you just run your security analysis tool? >Is there a formal URL for reporting Tomcat bugs? This is the place. >In the past I have detected other bugs, posted them on this list and >received no replies whatsoever. Perhaps that's because no one cares? Especially if a fix is known, as it is for this issue. >I searched the web for solutions, and I found only the following useless >"solutions": Or perhaps it's because people don't care to respond when the original post uses such an offensive tone ;) Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SECURITY BUG: No place to disable HTTP TRACE vulnerability
There does not appear to be any place in Tomcat to disable the HTTP TRACE. This is a well known vulnerability that affects most servers and is consistently used by hackers to gather information useful for their attacks. Is there a formal URL for reporting Tomcat bugs? In the past I have detected other bugs, posted them on this list and received no replies whatsoever. - Related info: I searched the web for solutions, and I found only the following useless "solutions": 1) Adding the following snippet to web.xml for the application. Unfortunately after applying it, our vulnerability tool was still able to detect the HTTP TRACE support. DisableExploitTraceHTTP /* TRACE 2) Modify the source code of Tomcat (quite a hack and undesirable) and recompile. In Tomcat 4 the file to modify would have been jakarta-tomcat-4.1.24-src/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java Bruno Melloni eBusiness Application Center, Americas Nokia, Inc 6000 Connection Drive, Mailstop 4w223 Irving, TX 75039 USA *Office: +1 (972)894-6120 *Cellular: +1 (469) 939-1067 * SMS: [EMAIL PROTECTED] * e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I disable HTTP TRACE in Tomcat
A 302 response is a re-direct. If you don't have an SSL Connector configured, then what you have should work (ugly, but works ;-). I believe that that idea was to have a: Forbidden Roles nobody-has-this-role It is really ugly for Form-auth (but it mostly makes life difficult for hackers, so what do you care ;-). "Peter M. Gerken" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Tim... > > I think I found a way that appears to work... I added the > line and it give me the 302 message for the HTTP TRACE and my web app > appears to be working Is this all I need to do? > > > > Protected Context > /* > TRACE > > > > CONFIDENTIAL > > > > Thanks > > Pete > > > Tim > > > > Thanks for the suggestion and it shows the following when I try to > > telnet and send HTTP TRACE > > > > HTTP/1.1 302 Moved Temporarily > > Pragma: No-cache > > Cache-Control: no-cache > > Expires: Thu, 01 Jan 1970 00:00:00 GMT > > Location: https://localhost:8443/ > > Content-Type: text/plain > > Content-Length: 0 > > Date: Mon, 23 Jun 2003 03:39:19 GMT > > Server: Apache Coyote/1.0 > > Connection: close > > > > That might satisfy the sys admins, but it also doesn't allow my webapp > > to run Here's what the link you gave said to add to web.xml: > > > > > > > >Protected Context > > /* > > > > > > > > CONFIDENTIAL > > > > > > > > I'm assuming that the url-pattern is catching everything anyway to > > only stop HTTP TRACE? > > > > Thanks! > > > > Pete > > > > Tim Funk wrote: > > > >> In web.xml - use a security constraint to disallow trace. > >> > >> It is similar to this: > >> http://jakarta.apache.org/tomcat/faq/security.html#https > >> > >> -Tim > >> > >> Peter M. Gerken wrote: > >> > >>> Hi.. > >>> > >>> I'm using tomcat 4.1.24 and the sys admins found a potential > >>> security hole by sending a HTTP TRACE. They told me I need to fix it > >>> by following the instructions in the following URL: > >>> > >>> http://www.kb.cert.org/vuls/id/867593 > >>> > >>> However, I'm not using the Apache HTTP Server, just Tomcat with it's > >>> embedded server. Is there anyway to disable a HTTP TRACE sent to > >>> tomcat? > >>> > >>> Here's the test I need to fail... > >>> > >>> telnet xxx.xxx.xxx.xxx 8080 > >>> > >>> type in "TRACE / HTTP/1.0" and hit return twice... it shows... > >>> > >>> > >>> HTTP/1.1 200 OK > >>> Content-Type: message/http > >>> Content-Length: 18 > >>> Date: Sun, 22 Jun 2003 22:52:24 GMT > >>> Server: Apache Coyote/1.0 > >>> Connection: close > >>> > >>> TRACE / HTTP/1.0 > >>> > >>> > >>> I need it that to fail to get the sys admin's off my back. > >>> > >>> Any help would much appreciated! > >>> > >>> Thanks!! > >> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I disable HTTP TRACE in Tomcat
Tim... I think I found a way that appears to work... I added the line and it give me the 302 message for the HTTP TRACE and my web app appears to be working Is this all I need to do? Protected Context /* TRACE CONFIDENTIAL Thanks Pete Tim Thanks for the suggestion and it shows the following when I try to telnet and send HTTP TRACE HTTP/1.1 302 Moved Temporarily Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: https://localhost:8443/ Content-Type: text/plain Content-Length: 0 Date: Mon, 23 Jun 2003 03:39:19 GMT Server: Apache Coyote/1.0 Connection: close That might satisfy the sys admins, but it also doesn't allow my webapp to run Here's what the link you gave said to add to web.xml: Protected Context /* CONFIDENTIAL I'm assuming that the url-pattern is catching everything anyway to only stop HTTP TRACE? Thanks! Pete Tim Funk wrote: In web.xml - use a security constraint to disallow trace. It is similar to this: http://jakarta.apache.org/tomcat/faq/security.html#https -Tim Peter M. Gerken wrote: Hi.. I'm using tomcat 4.1.24 and the sys admins found a potential security hole by sending a HTTP TRACE. They told me I need to fix it by following the instructions in the following URL: http://www.kb.cert.org/vuls/id/867593 However, I'm not using the Apache HTTP Server, just Tomcat with it's embedded server. Is there anyway to disable a HTTP TRACE sent to tomcat? Here's the test I need to fail... telnet xxx.xxx.xxx.xxx 8080 type in "TRACE / HTTP/1.0" and hit return twice... it shows... HTTP/1.1 200 OK Content-Type: message/http Content-Length: 18 Date: Sun, 22 Jun 2003 22:52:24 GMT Server: Apache Coyote/1.0 Connection: close TRACE / HTTP/1.0 I need it that to fail to get the sys admin's off my back. Any help would much appreciated! Thanks!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I disable HTTP TRACE in Tomcat
Tim Thanks for the suggestion and it shows the following when I try to telnet and send HTTP TRACE HTTP/1.1 302 Moved Temporarily Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: https://localhost:8443/ Content-Type: text/plain Content-Length: 0 Date: Mon, 23 Jun 2003 03:39:19 GMT Server: Apache Coyote/1.0 Connection: close That might satisfy the sys admins, but it also doesn't allow my webapp to run Here's what the link you gave said to add to web.xml: Protected Context /* CONFIDENTIAL I'm assuming that the url-pattern is catching everything anyway to only stop HTTP TRACE? Thanks! Pete Tim Funk wrote: In web.xml - use a security constraint to disallow trace. It is similar to this: http://jakarta.apache.org/tomcat/faq/security.html#https -Tim Peter M. Gerken wrote: Hi.. I'm using tomcat 4.1.24 and the sys admins found a potential security hole by sending a HTTP TRACE. They told me I need to fix it by following the instructions in the following URL: http://www.kb.cert.org/vuls/id/867593 However, I'm not using the Apache HTTP Server, just Tomcat with it's embedded server. Is there anyway to disable a HTTP TRACE sent to tomcat? Here's the test I need to fail... telnet xxx.xxx.xxx.xxx 8080 type in "TRACE / HTTP/1.0" and hit return twice... it shows... HTTP/1.1 200 OK Content-Type: message/http Content-Length: 18 Date: Sun, 22 Jun 2003 22:52:24 GMT Server: Apache Coyote/1.0 Connection: close TRACE / HTTP/1.0 I need it that to fail to get the sys admin's off my back. Any help would much appreciated! Thanks!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I disable HTTP TRACE in Tomcat
In web.xml - use a security constraint to disallow trace. It is similar to this: http://jakarta.apache.org/tomcat/faq/security.html#https -Tim Peter M. Gerken wrote: Hi.. I'm using tomcat 4.1.24 and the sys admins found a potential security hole by sending a HTTP TRACE. They told me I need to fix it by following the instructions in the following URL: http://www.kb.cert.org/vuls/id/867593 However, I'm not using the Apache HTTP Server, just Tomcat with it's embedded server. Is there anyway to disable a HTTP TRACE sent to tomcat? Here's the test I need to fail... telnet xxx.xxx.xxx.xxx 8080 type in "TRACE / HTTP/1.0" and hit return twice... it shows... HTTP/1.1 200 OK Content-Type: message/http Content-Length: 18 Date: Sun, 22 Jun 2003 22:52:24 GMT Server: Apache Coyote/1.0 Connection: close TRACE / HTTP/1.0 I need it that to fail to get the sys admin's off my back. Any help would much appreciated! Thanks!! Pete - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do I disable HTTP TRACE in Tomcat
Hi.. I'm using tomcat 4.1.24 and the sys admins found a potential security hole by sending a HTTP TRACE. They told me I need to fix it by following the instructions in the following URL: http://www.kb.cert.org/vuls/id/867593 However, I'm not using the Apache HTTP Server, just Tomcat with it's embedded server. Is there anyway to disable a HTTP TRACE sent to tomcat? Here's the test I need to fail... telnet xxx.xxx.xxx.xxx 8080 type in "TRACE / HTTP/1.0" and hit return twice... it shows... HTTP/1.1 200 OK Content-Type: message/http Content-Length: 18 Date: Sun, 22 Jun 2003 22:52:24 GMT Server: Apache Coyote/1.0 Connection: close TRACE / HTTP/1.0 I need it that to fail to get the sys admin's off my back. Any help would much appreciated! Thanks!! Pete - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
