-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Stephan,
On 1/23/14, 9:57 AM, Stephan Fletcher wrote: > Can anyone tell me how to fix the following in my Tomcat config. > I'm using Apache Tomcat 7.0.30 and I'm failing on the following PCI > Security scans. > > > 1. Title: Web server allows PUT: / > > Impact: An attacker may be able to upload files onto the web > server. > > Data Received: Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS > > Resolution: Configure the web server not to accept PUT requests. If > you require the functionality of PUT for web publishing, use a put > script which can only be run by authorized users, which ensures > that the script can update only web content files, and which > ensures that users can only update their own pages > > > 2. Title: Web server allows HTTP method DELETE > > Impact: The HTTP DELETE method may allow an attacker to delete > arbitrary content from the Web Server. > > Data Received: Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS > > Resolution: Disable the DELETE method in the Web Server > configuration. If this is not an option, use one of the following > workarounds: > > Apache: Disable the DELETE method by including the following in the > Apache configuration: > > <Limit DELETE> Order Deny, Allow Deny from All& > lt;/Limit> > > > Any help would be greatly appreciated IIRC, Tomcat-compiled JSP scripts used to respond to every kind of HTTP verb, including things that weren't standard at all (like HELLO!). I believe that was fixed a while back -- not sure when... I can't seem to find anything in the change log for Tomcat 7, so maybe that was a long long time ago. I just tried OPTIONS on 7.0.47 to a random JSP and it responded by actually running the JSP in standard "GET"-style mode. Actually... I ran it like this: $ openssl s_client -connect myhost:443 HELLO /path/test.jsp HTTP/1.1 Connection: close Host: myhost [CRLF] ... and my JSP ran. That's a little surprising but definitely not dangerous. PUT and DELETE do the same thing: just run the JSP as usual. Mark's response is probably the more accurate: your vulnerability scanner is just too lazy to find an actual vulnerability but just reports that you are insecure because of a zero-research response it got to a single request. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS4TdVAAoJEBzwKT+lPKRYLw4QAKt2hvJdEHsIf6isho9aDijx WwdDaZftdKll6KSPo7uosQ46aQ8SdNnl2+ZVCxzj09J1PM85lIky6Uit719cRtvi 8tP2X+NaiZkj/AqwVZtOi9qawgavwtbch3GW8rB9LPiCzZeimOvpUzcGaevGYoRp tgsW9ZwMlY2bmJg2rxwxxqNyPJJ8iphtPz6+Kj6wTufU7pcU1wc8JtSasMw/C5rV izCxIpNtnKcNQ8IEwky3epTAvaP9iEJIyVj9AUziUqZbNDVCm3IslSo5HpUQfjJR 4zVZHOpyL+fl9M5tghp632x9MuC7XtEnPxOW9ScOYe+6vqxac6hcQ2gw0nyc04n9 Yd2t5T/R47UkMwVZ7GCYiI6Ry/Gsnxl7Cly3W9REKC2Nlu5shCrlOANLXSAfEOoh TbVMTUbOnp4bb4FS97Kq8eDtuffcVmEDotcewaLSvZtIvKBiuUTESdjUT7/mEUsA ucgtNHv/OTY1LUw/B9uNJeoGD7+Srw5do2sD6nI+UV1vTmV/YGZoX/L1kbEN6uHP qiOaQKdkJbwK8kgZPOYAeTevW7D4gaz0AU49ED3QBCSdEQaI9g0RdnumaiZqB65o 34sm6XLoIso5qKfH7HU6iBK9EL19KUsoCfW2CMOGVjFCkg1iKNjoiHvt96kCXxID 2F9z9bM7+vyfslH6aQVw =ZdEc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
