-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 3/17/20 18:31, James H. H. Lampert wrote: > > On 3/17/20 3:18 PM, Martynas Jusevičius wrote: >> why should DELETE or OPTIONS not be enabled? They are standard >> HTTP methods. > > True, but (quoting the audit report) >> . . . [DELETE] may allow a remote attacker to delete arbitrary >> files . . . . With (undue) respect to the auditors, using the SHUTDOWN method may allow a remote attacker to shut down your server while the DOWNLOAD_DATABASE method may allow an attacker to download your whole database. > and (again quoting the report) >> Web servers that respond to the OPTIONS HTTP method expose what >> other methods are supported by the web server, allowing attackers >> to narrow and intensify their efforts. The entire point of the OPTIONS method is to advertise what is allowed. There are other ways to discover what is allowed: simply try everything and see what works. OPTIONS is an optimization which is essentially required by some protocols (e.g. WebDAV). If you don't need it, you can disable it. IIRC, JSPs "allow" all methods but they all end up calling service(...) and doing whatever the JSP is supposed to do (which is almost always a GET or POST handler). So just because DELETE and/or OPTIONS don't cause any errors doesn't mean that DELETE will actually delete a file. You can put a filter in place to reject all such requests, but if your application needs them then it will break your application. If your application does not need them then they are harmless, assuming your application does not have any exploitable vulnerabilities. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5yHrEACgkQHPApP6U8 pFgJdw/7BU4ojwCGAgpdVtykssD/vm18P7rnnyKREIYzRm1lwB/fi/T2fh0pV/hT 9+kiXpF7IArNnXBS2JnHOfABFlxDqHZJ6UHH7nRnU/nMUyZw61pn8AioF4r7LlKP vQnF8fT5+n8evKPjHkUiJoRNyH0V4DATOR9fuk9+4sjMj4WO+7pWbYRq/TWVTfrn APceEqdmyBiSXTMbhfT+CRXOAK6WGe8aIuM43ebpMw5f2x+EZmdr8cgWYu+tpwVJ pYzdG52Qjv8XaBEEtvQCnQC6c51sQYwOJ1EsMXkhmrsB6oEPy0A+CPsmSe4fGjCK 85RpZLBhZDxu/ScJ75C+agesTBbM7KXFTgn06mP1L2iUJMg41lpYWv5pzsqDUF81 wT9je9dfa+87ud5d9FG6E+4p4O/y9Sy1DWax48SLJaunqEMxxtq2yQ9etoZdM02r IR3n9CO+9PI+DrdkI8vLKEPI6NZDlroz3uqSqkhngmiyot6WOTLXIRfAYM6868qq s818lxrTi1TFu4ikrW3k+GbU7Z1rIzGkGjPyYGZGevvNTWJ9YCyHec9YuRhc78/Z wSFKQ2DgLS5/vqtkQ2EIZY/b5sB5t0xu0+0pQrWV0Tgak+788CPETe3nA5jaIQE1 yHNHpTTT2PU5oW6SaPvl5uNoGwkxIBHwjFyhWlf6+4GW/nGuXpY= =3Vwe -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
