Yoav, This was detected both before and after applying the "fix" snippet to web.xml, by both the security analysis tool and by typing "TRACE / HTTP/1.0" and hitting return twice on a telnet session.
I am not familiar with the analysis tool used by our security team, but I know it is supposed to be the strongest tool in the market for detecting web-site vulnerabilities. It is possible that other tools don't detect this vulnerability yet and that is why most people aren't worrying about it. >From what I am told, the other application servers used in our company all have a >configuration-driven way to disable the TRACE HTTP. My project is the first one to >try to use Tomcat as a "real" server. bruno --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
