Mark,
On 9/9/21 03:05, Mark Thomas wrote:
On 08/09/2021 20:50, Christopher Schultz wrote:
Mark,
On 9/8/21 11:28, Mark Thomas wrote:
On 08/09/2021 16:15, Gilles Robert wrote:
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
You need to talk to the Spring folks then. Default Tomcat behaviour
is to return a 405 with an error message in the response. I've just
doubled checked this with telnet and 9.0.x.
<rant>
As an aside, the idea that any TRACE response is a security issue
with the server, whether it contains a "malicious" header or not is
nonsense. The only thing a user agent anywhere should be doing with a
TRACE response is displaying it as plain text. If a user agent does
something else with the response, and especially if it does something
reckless like treating it is HTML, then than is a security issue with
the user agent, not the server.
</rant>
Super duper vuln:
$ curl -X TRACE --header '....' myurl | bash
RCE every time, bro.
:)
You would have got bonus points if the first character was '#' rather
than '$'.
sudo make me a sandwich[1] ?
-chris
[1] https://xkcd.com/149/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
