----- Original Message ----- From: "Bill Barker" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Saturday, January 10, 2004 6:28 PM Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
> > ----- Original Message ----- > From: "Remy Maucherat" <[EMAIL PROTECTED]> > To: "Tomcat Developers List" <[EMAIL PROTECTED]> > Sent: Saturday, January 10, 2004 5:24 AM > Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability > > > > Remy Maucherat wrote: > > > Bill Barker wrote: > > > > > >> I just tried this with the CVS HEAD of Tomcat 5 (after putting in a > > >> security-constraint in the ROOT web.xml) and Tomcat happily returned a > > >> 403 > > >> response. > > > > > > I don't care about this lame XSS bug. However, what you describe doesn't > > > work for me. > > > > There are two issues that I can see: > > - if there's no auth-constraint, then it just passes through (I think it > > should instead return a 403 right away) > > No, that's what the servlet-spec says should happen. > > > - if there's no login config, then it also just passes through (I think > > it should instead return a 403 right away) > > I think this is a problem with the deployment (i.e. Tomcat doesn't regisiter > an Autheniticator if it doesn't know which one to use). Ok, this isn't right. Tomcat defaults to NonLoginAuthenticator if there is no login-config. This one just approves everybody for everything. > > > > > Those are likely regressions after the rewrite of the algorithm, but > > it's good to find them before a release :) > > > > The idea is to fix the "vulnerability" by adding in conf/web.xml: > > <!-- ======================= Disable TRACE by default > > =================== --> > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>DisableExploitTraceHTTP</web-resource-name> > > <url-pattern>/*</url-pattern> > > <http-method>TRACE</http-method> > > </web-resource-collection> > > </security-constraint> > > > > I'll do a quick bench to see if it hurts performance, just in case (I > > think it doesn't as the matching is efficient). > > > > Rémy > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > ---------------------------------------------------------------------------- ---- > > This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. > > In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. > > ---------------------------------------------------------------------------- ---- > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
