On Feb 18, 2013, at 12:55 PM, Mark Thomas wrote: > On 18/02/2013 18:19, Sachin wrote: >> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our >> security certifying vendor tests application against. >> >> And it logs - The URL "http://localhost:8080/app/"; has the following >> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found >> in the request with id 19. > > That looks like a false positive although I'm not sure how it is happening. > You'd have to dig into the test to look at the HTTP request and response > headers to see what is goign on. > > Mark
IIRC, I think I witnessed a while back Tomcat report that TRACE was allowed in an OPTIONS request, but then refuse the request when an actual TRACE was made. I've also seen this happen with PUT. Perhaps w3af is taking the OPTIONS response at face value instead of actually testing whether a TRACE request is allowed? I would suggest that w3af should do both, but I would also suggest that Tomcat should not include TRACE in the OPTIONS response if TRACE is really disallowed, and likewise for the other methods. My $0.02. N > > >> >> >> Thanks & Regards >> Sachin >> >> -----Original Message----- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Monday, February 18, 2013 11:34 PM >> To: Tomcat Users List >> Subject: Re: tomcat 7.0.22 - allowTrace="false" not working >> >> On 18/02/2013 15:00, Sachin wrote: >>> Hi, >>> >>> I want to disable http TRACE method in my application which is running >>> on tomcat 7.0.22 web-server. >>> Though apache tomcat configuration for http says that it is set to >>> false by default, it allows TRACE. I tried setting it to false >>> specifically, but still it allows. >>> I searched through your mail archives hosted on 4-5 sites and general >>> web but could not find a working solution. Please help. >>> >>> Here is 'connector' (only 1) from my server.xml >>> >>> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN" >>> connectionTimeout="20000" allowTrace="false" >>> redirectPort="8443" /> >> >> How are you testing this? >> >> I just tested 7.0.x trunk and see the documented behaviour. Further, there >> has been no change in the code that handles this in a number of years. >> >> Mark >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
smime.p7s
Description: S/MIME cryptographic signature
