Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned a 403
response.
I don't care about this lame XSS bug. However, what you describe doesn't work for me.
There are two issues that I can see:
- if there's no auth-constraint, then it just passes through (I think it should instead return a 403 right away)
- if there's no login config, then it also just passes through (I think it should instead return a 403 right away)
Those are likely regressions after the rewrite of the algorithm, but it's good to find them before a release :)
The idea is to fix the "vulnerability" by adding in conf/web.xml:
<!-- ======================= Disable TRACE by default =================== -->
<security-constraint>
<web-resource-collection>
<web-resource-name>DisableExploitTraceHTTP</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
</security-constraint>I'll do a quick bench to see if it hurts performance, just in case (I think it doesn't as the matching is efficient).
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
