I just tried this with the CVS HEAD of Tomcat 5 (after putting in a security-constraint in the ROOT web.xml) and Tomcat happily returned a 403 response.
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Yoav, This was detected both before and after applying the "fix" snippet to web.xml, by both the security analysis tool and by typing "TRACE / HTTP/1.0" and hitting return twice on a telnet session. I am not familiar with the analysis tool used by our security team, but I know it is supposed to be the strongest tool in the market for detecting web-site vulnerabilities. It is possible that other tools don't detect this vulnerability yet and that is why most people aren't worrying about it. >From what I am told, the other application servers used in our company all have a configuration-driven way to disable the TRACE HTTP. My project is the first one to try to use Tomcat as a "real" server. bruno --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
