On 14/05/2010 16:28, André Warnier wrote: > Leo Donahue - PLANDEVX wrote: > ... > >> >> Yes. I wasn't implementing doPUT or doDELETE and was scratching my >> head trying to figure out how the security scan was able to indicate >> those methods were available. >> > Then it very much looks right now as if it is the scanner which is faulty.
Scanners usually do an OPTIONS request and then complain when the PUT, DELETE or TRACE are included in the Allow header of the reponse. <rant>Putting to one side that TRACE is only considered a security risk due to the non-spec compliant behaviour of a certain browser and therefore the software the scanners should be complaining about is the browser not a 100% secure, spec compliant web server implementation</rant> the scanners don't try a PUT, DELETE or TRACE request to see whether or not the request will be permitted. The scanners do this to test in a non-destructive way. If they actually tried a DELETE and it worked folks may get upset. TRACE & PUT could be tested safely but it is hard to test DELETE without causing some damage if it is permitted. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
