2013/2/18 Sachin <sac...@nitman.co.in>: > I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our > security certifying vendor tests application against. > > And it logs - The URL "http://localhost:8080/app/"; has the following > allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found > in the request with id 19. > > > Thanks & Regards > Sachin > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, February 18, 2013 11:34 PM > To: Tomcat Users List > Subject: Re: tomcat 7.0.22 - allowTrace="false" not working > > On 18/02/2013 15:00, Sachin wrote: >> Hi, >> >> I want to disable http TRACE method in my application which is running >> on tomcat 7.0.22 web-server. >> Though apache tomcat configuration for http says that it is set to >> false by default, it allows TRACE. I tried setting it to false >> specifically, but still it allows. >> I searched through your mail archives hosted on 4-5 sites and general >> web but could not find a working solution. Please help. >> >> Here is 'connector' (only 1) from my server.xml >> >> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN" >> connectionTimeout="20000" allowTrace="false" >> redirectPort="8443" />
The TRACE method vulnerability occurs only if a web server produces proper TRACE response, which includes an echo of original request. See http://www.kb.cert.org/vuls/id/867593 If that scanner detects anything else than such response, it is a mere false positive. One example of false positive is that if you send an OPTIONS request to almost any servlet, the "Allow" header in its response by default will include the TRACE method (as implemented in javax.servlet.http.HttpServlet class). If allowTrace="false" (as it is by default), Tomcat will stop any TRACE request before it reaches the web application. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
