Remy Maucherat wrote:
Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned a 403
response.
I don't care about this lame XSS bug. However, what you describe doesn't work for me.
There are two issues that I can see:
- if there's no auth-constraint, then it just passes through (I think it should instead return a 403 right away)
- if there's no login config, then it also just passes through (I think it should instead return a 403 right away)
Those are likely regressions after the rewrite of the algorithm, but it's good to find them before a release :)
The idea is to fix the "vulnerability" by adding in conf/web.xml:
<!-- ======================= Disable TRACE by default =================== -->
<security-constraint> <web-resource-collection> <web-resource-name>DisableExploitTraceHTTP</web-resource-name> <url-pattern>/*</url-pattern> <http-method>TRACE</http-method> </web-resource-collection> </security-constraint>
I'll do a quick bench to see if it hurts performance, just in case (I think it doesn't as the matching is efficient).
I think I made a mistake, this should apparently be: <security-constraint> <web-resource-collection> <web-resource-name>DisableExploitTraceHTTP</web-resource-name> <url-pattern>/*</url-pattern> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint/> </security-constraint>
Otherwise, without the empty auth-constraint, it apparently means all access (please check this is correct ;) ).
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
