Can anyone tell me how to fix the following in my Tomcat config. I'm using Apache Tomcat 7.0.30 and I'm failing on the following PCI Security scans.
1. Title: Web server allows PUT: / Impact: An attacker may be able to upload files onto the web server. Data Received: Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS Resolution: Configure the web server not to accept PUT requests. If you require the functionality of PUT for web publishing, use a put script which can only be run by authorized users, which ensures that the script can update only web content files, and which ensures that users can only update their own pages 2. Title: Web server allows HTTP method DELETE Impact: The HTTP DELETE method may allow an attacker to delete arbitrary content from the Web Server. Data Received: Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS Resolution: Disable the DELETE method in the Web Server configuration. If this is not an option, use one of the following workarounds: Apache: Disable the DELETE method by including the following in the Apache configuration: <Limit DELETE> Order Deny, Allow Deny from All& lt;/Limit> Any help would be greatly appreciated Stephan Fletcher Manager of Information Services Bohren's Moving & Storage Docusafe Records Management 3 Applegate Drive South Robbinsville, NJ 08691 O: 609.208.1470 F: 609.208.1471 W: www.bohrensmoving.com<http://www.bohrensmoving.com/> W: www.docusafe.com<http://www.docusafe.com/> ________________________________ Important Notice: This email is copyright of Bohrensmoving.com, and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. This footnote also confirms that this email message has been swept for the presence of computer viruses.
