-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Stephan,
On 1/23/14, 10:09 AM, Stephan Fletcher wrote: > It's a third party that is running the scan. Then *they* need to verify that the problem is a false-positive (or not.. it's certainly possible that your are open to a "DELETE /" attack, but probably not. - -chris > -----Original Message----- From: Mark Thomas > [mailto:ma...@apache.org] Sent: Thursday, January 23, 2014 10:05 > AM To: Tomcat Users List Subject: Re: Deny Put & Delete > > On 23/01/2014 14:57, Stephan Fletcher wrote: >> Any help would be greatly appreciated > > <rant> Buy a better vulnerability scanner. Specifically, one > understands that an OPTIONS request returns the methods that are > *available* not the methods that are *permitted*. </rant> > > Assuming you haven't changed Tomcat's default configuration any > attempt to actually PUT or DELETE a resource will be denied. > > I have a recollection that we changed the implementation of the > OPTIONS request to try and help with this sort of thing. Scratch > that. That was for TRACE which won't be included in an OPTIONS > response unless Tomcat can confirm that it has been explicitly > enabled in the Connector. > > Mark > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > ________________________________ > > Important Notice: This email is copyright of Bohrensmoving.com, and > any files transmitted with it are confidential and intended solely > for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system > manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately by e-mail from your > system. If you are not the intended recipient you are notified that > disclosing, copying, distributing or taking any action in reliance > on the contents of this information is strictly prohibited. > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom > they are addressed. This footnote also confirms that this email > message has been swept for the presence of computer viruses. > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS4TkVAAoJEBzwKT+lPKRY8+QP/2itb792qFZcI6MQxlc+Ds4P PW0kV+h8+u9V1maTrosIDyzxL9EClmhnUUJ3LZgNO3s6XJn6XEzibQU6jPyrijs9 o2d9q1MTt/OQmml5MYK1OMMqaiOyNIu72/zpRXcRO6yX5Ddne/9RByRck6vjU2Za EpeLKs49xe46eRTtcTYSrDQjH0DJmZfcqHApF7yi3Gb7CUAbZXB+SrYnTTGlTsvs NmpltiN5T0pdts6VNkf6L34jSJi7n9961aAQbCv/3XvKvSR0nxVvKY7+x1b6DmYn izORt55NymzdEz+P+eLHyAff+I7HOul+V41ImYr707RgtRLrANUfqdh29wJi0bbl F7bTT5/lg8kgijeoQt8ls5ME9cfANvij8/R4XO8cTRtXR8nA3QfHMYpRlHOVjW0Z 1EBcKE73aymmyfB0PPq6zdqy6n2YqS91kRn7hUxzs3jpxEWw2u/Z/fIVE7xHsOKJ ElABDO3ORtfiR1MpwNQTcjlB8s8zlzJT8pVkUEdlWEZ7E9H+ikFD/q/LXxTjjGGa EYazOCpIdO2+q9qH0OZnrC14wTogtmstyQKTZykvEOWfsU+OFxl7CbD66/WRQvi2 dRsJkDDbrQDRYb8wb8QqPp9tTSpm/I03pjA7q0QK2tydRkOsH/irpHmQq8RDXJf+ 9p7NCSV3v98Wi9WSoJLR =oPQj -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
