On 20/03/2020 22:18, James H. H. Lampert wrote:
> On 3/18/20 4:03 AM, Mark Thomas replied to my questions:
>
>>> But I'm not sure (1) how security constraints interact with other
>>> security constraints, and
>>
>> See section 13.8.1 of the Servlet 4.0 spec.
>>
>>> (2) whether they can go in the
On 3/18/20 4:03 AM, Mark Thomas replied to my questions:
But I'm not sure (1) how security constraints interact with other
security constraints, and
See section 13.8.1 of the Servlet 4.0 spec.
(2) whether they can go in the conf/web.xml as
well as individual webapps' web.xml files.
Yes
On 3/18/20 1:16 AM, Olaf Kock wrote:
Are you sure that this is for tomcat, not for your own application?
Actually, since on-screen it looks like one of ours, I was already
leaning to that conclusion, and had brought it to the attention of our
webapp developer.
Thanks for all the responses
From: James H. H. Lampert
Sent: Tuesday, March 17, 2020 6:05 PM
To: Tomcat Users List
Subject: Security audit raises questions (Tomcat 7.0.93)
Ladies and Gentlemen:
One of our customers did a security audit on the Tomcat server we maintain on
their system, and it found a few issues:
First,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 3/17/20 18:31, James H. H. Lampert wrote:
>
> On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
>> why should DELETE or OPTIONS not be enabled? They are standard
>> HTTP methods.
>
> True, but (quoting the audit report)
>> . . . [DELETE] may
On 18/03/2020 00:04, James H. H. Lampert wrote:
> On 3/17/20 3:50 PM, Mark Thomas wrote:
>> The XXS might be valid. I assume the tool provided a sample URL you
>> could use to validate the finding. That should point you in the right
>> direction but feel free to ask here if more help is required.
On 17/03/2020 23:30, Martynas Jusevičius wrote:
> Tomcat does not allow DELETE by default? I’m using 8.0.x with Jersey and I
> don’t think I used any config to enable it.
By default, HttpServlet (which pretty much every servlet extends)
returns a 405 for a DELETE.
The Servlets that Tomcat
On 18.03.20 01:04, James H. H. Lampert wrote:
> On 3/17/20 3:50 PM, Mark Thomas wrote:
>> The XXS might be valid. I assume the tool provided a sample URL you
>> could use to validate the finding. That should point you in the right
>> direction but feel free to ask here if more help is required.
On 3/17/20 3:50 PM, Mark Thomas wrote:
The XXS might be valid. I assume the tool provided a sample URL you
could use to validate the finding. That should point you in the right
direction but feel free to ask here if more help is required.
Near as I can tell, it did but it didn't provide a
Tomcat does not allow DELETE by default? I’m using 8.0.x with Jersey and I
don’t think I used any config to enable it.
On Tue, 17 Mar 2020 at 23.50, Mark Thomas wrote:
> On March 17, 2020 10:31:06 PM UTC, "James H. H. Lampert" <
> jam...@touchtonecorp.com> wrote:
> >
> >On 3/17/20 3:18 PM,
On March 17, 2020 10:31:06 PM UTC, "James H. H. Lampert"
wrote:
>
>On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
>> why should DELETE or OPTIONS not be enabled? They are standard HTTP
>methods.
>
>True, but (quoting the audit report)
>> . . . [DELETE] may allow a remote attacker to delete
On 3/17/20 3:34 PM, Martin Grigorov wrote:
Reading the quoted text I'd suggest you to throw this tool in the bin.
I hope you didn't pay for it.
Are you suggesting that we throw a paying customer "in the bin?"
It is not OUR audit; it is the CUSTOMER's audit (the report
self-identifies as
On Wed, Mar 18, 2020 at 12:31 AM James H. H. Lampert <
jam...@touchtonecorp.com> wrote:
>
> On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
> > why should DELETE or OPTIONS not be enabled? They are standard HTTP
> methods.
>
> True, but (quoting the audit report)
> > . . . [DELETE] may allow a
On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.
True, but (quoting the audit report)
. . . [DELETE] may allow a remote attacker to delete arbitrary files . . . .
and (again quoting the report)
Web servers that
Hi,
why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.
On Tue, Mar 17, 2020 at 11:05 PM James H. H. Lampert
wrote:
>
> Ladies and Gentlemen:
>
> One of our customers did a security audit on the Tomcat server we
> maintain on their system, and it found a few issues:
>
>
Ladies and Gentlemen:
One of our customers did a security audit on the Tomcat server we
maintain on their system, and it found a few issues:
First, it found a cross-site scripting vulnerability.
Second, it found the HTTP DELETE method enabled.
Third, it found a click-jacking vulnerability.
16 matches
Mail list logo
