Bill Barker wrote:
Bill Barker wrote:
Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there
is
no login-config. This one just approves everybody for everything.
Ok. This isn't absolutely critical, but needs to be fixed.
I just tested this with a fresh build of everything, and
- Original Message -
From: "Remy Maucherat" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Sunday, January 11, 2004 1:18 AM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
> Bill Barker wrote
Bill Barker wrote:
Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there is
no login-config. This one just approves everybody for everything.
Ok. This isn't absolutely critical, but needs to be fixed.
Rémy
-
T
- Original Message -
From: "Bill Barker" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Saturday, January 10, 2004 6:28 PM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
>
> - Original
- Original Message -
From: "Remy Maucherat" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Saturday, January 10, 2004 5:24 AM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
> Remy Maucherat wrote
Remy Maucherat wrote:
Remy Maucherat wrote:
Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned
a 403
response.
I don't care about this lame XSS bug. However, what you describe
doesn't wor
Remy Maucherat wrote:
Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned a
403
response.
I don't care about this lame XSS bug. However, what you describe doesn't
work for me.
There are two is