Stephan Fletcher wrote:
It's a third party that is running the scan.
On this list, please do not top-post.
Maybe another response :
There are regular reports on this list of similar "security scanners" which find what they
deem to be "security vulnerabilities". Consult the list archives for more info.
It turns out that in about 99% of the cases, the problem is with the security scanner
software, and not with any real vulnerability in Tomcat.
That explains the kind of responses that you have seen so far.
Such reports mostly cause a lot of worries and jumping around, to end up generally with
nothing to really worry about, apart from time lost for everyone.
That's why people get jumpy at such posts.
If you are in the middle, there is not much you can do about it, except be confident
enough to tell the originators of the report to please check their data, and explain why
they think that there is a security issue.
If it turns out that there is a real security issue, explained in more detail than just
claiming that there is one, it will be tackled with urgency by the Tomcat developers.
-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Thursday, January 23, 2014 10:05 AM
To: Tomcat Users List
Subject: Re: Deny Put & Delete
On 23/01/2014 14:57, Stephan Fletcher wrote:
Any help would be greatly appreciated
<rant>
Buy a better vulnerability scanner. Specifically, one understands that an
OPTIONS request returns the methods that are *available* not the methods that
are *permitted*.
</rant>
Assuming you haven't changed Tomcat's default configuration any attempt to
actually PUT or DELETE a resource will be denied.
I have a recollection that we changed the implementation of the OPTIONS request
to try and help with this sort of thing. Scratch that. That was for TRACE which
won't be included in an OPTIONS response unless Tomcat can confirm that it has
been explicitly enabled in the Connector.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
________________________________
Important Notice: This email is copyright of Bohrensmoving.com, and any files
transmitted with it are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you have received this
email in error please notify the system manager. This message contains
confidential information and is intended only for the individual named. If you
are not the named addressee you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately by e-mail from your system. If you
are not the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. This footnote also confirms that this email message has been
swept for the presence of computer viruses.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
