There does not appear to be any place in Tomcat to disable the HTTP TRACE. This is a
well known vulnerability that affects most servers and is consistently used by hackers
to gather information useful for their attacks.
Is there a formal URL for reporting Tomcat bugs?
In the past I have detected other bugs, posted them on this list and received no
replies whatsoever.
-----
Related info:
I searched the web for solutions, and I found only the following useless "solutions":
1) Adding the following snippet to web.xml for the application. Unfortunately after
applying it, our vulnerability tool was still able to detect the HTTP TRACE support.
<security-constraint>
<web-resource-collection>
<web-resource-name>DisableExploitTraceHTTP</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
</security-constraint>
2) Modify the source code of Tomcat (quite a hack and undesirable) and recompile. In
Tomcat 4 the file to modify would have been
jakarta-tomcat-4.1.24-src/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
Bruno Melloni
eBusiness Application Center, Americas
Nokia, Inc
6000 Connection Drive, Mailstop 4w223
Irving, TX 75039 USA
*Office: +1 (972)894-6120
*Cellular: +1 (469) 939-1067
* SMS: [EMAIL PROTECTED]
* e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
