Howdy, >There does not appear to be any place in Tomcat to disable the HTTP TRACE. >This is a well known vulnerability that affects most servers and is >consistently used by hackers to gather information useful for their >attacks.
This is discussed here, as you've noted: http://marc.theaimsgroup.com/?l=tomcat-user&m=105632353125969&w=2 Having applied the security constraint, did you try exploiting TRACE or did you just run your security analysis tool? >Is there a formal URL for reporting Tomcat bugs? This is the place. >In the past I have detected other bugs, posted them on this list and >received no replies whatsoever. Perhaps that's because no one cares? Especially if a fix is known, as it is for this issue. >I searched the web for solutions, and I found only the following useless >"solutions": Or perhaps it's because people don't care to respond when the original post uses such an offensive tone ;) Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
