----- Original Message ----- From: "Remy Maucherat" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Sunday, January 11, 2004 1:18 AM Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
> Bill Barker wrote: > > Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there is > > no login-config. This one just approves everybody for everything. > > Ok. This isn't absolutely critical, but needs to be fixed. > I just tested this with a fresh build of everything, and it seems that Tomcat is working fine. I set allowTrace="true" on the connector, and put in a security-constraint to forbid TRACE in ROOT/WEB-INF/web.xml but no login-config. The result is a perfectly good 403 response to 'TRACE / HTTP/1.0', and a perfectly good TRACE response to 'TRACE /jsp-examples/ HTTP/1.0'. I'm afraid that you will have to provide a test case if you want to re-open this issue ;-). I'm resolving it as WORKSFORME. > Rémy > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
