You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ben Kim <bk...@coe.tamu.edu> on 2005/02/18 08:13:56 UTC
disable put, delete
I'm running 5.0.28 and when I ran nessus scan, it gives me a warning about
put and delete methods.
I'm not sure how I should take it... It seems it's not applicable but
nessus still gives the warning.
Could anyone advise whether tomcat configuration needs to be fixed, and
then how? (The BID was not straightforward to me.)
Regards,
Ben Kim
Database Developer/Systems Administrator
434E Harrington Tower / College of Education
Texas A&M University
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: disable put, delete
Posted by Ben Kim <bk...@coe.tamu.edu>.
Thanks.
On Fri, 18 Feb 2005, Tim Funk wrote:
> If readonly is set to true, then PUT and DELETE are disabled. The scanning
> tool might be expecting a differnet HTTP status code when trying to exploit
> PUT and DELETE.
>
> -Tim
>
> Ben Kim wrote:
>
> >>It should already be disabled. See the configuration of the DefaultServlet in
> >> $CATALINA_HOME/conf/web.xml
> >
> >
> > I'd appreciate more advice.
> >
> > I've tested it myself and it didn't work. My nessus also says it could not
> > exploit it but recommends I disable it.
> >
> > Here's my DefaultServlet section, all surrounded by <!-- --> line by line,
> > from the $CATALINA_HOME/conf/web.xml.
> >
> > Am I right to interpret this as saying that "readonly" is [true] by
> > default (hence commented out) for DefaultServlet, so that any DELETE or
> > PUT attempt is rejected?
> >
> > ===================================================================
> >
> > The default servlet for all web applications, that serves static
> > servlets with servlet mappings (defined either here or in your own
> > web.xml file. This servlet supports the following initialization
> > parameters (default values are in square brackets):
> > ...
> > readonly Is this context "read only", so HTTP commands like PUT and
> > DELETE are rejected? [true]
> >
> > ====================================================================
> >
> > So, could I say it's been already disabled in 5.0.28 and nessus's finding
> > is wrong?
> >
> > I need to either correct this problem, or submit an explanation of why it
> > is not necessary, to my security folks, so would appreciate some kind of
> > confirmation from anyone knowledgeable.
> >
> >
> > Thanks,
> >
> > Ben Kim
> > Database Developer/Systems Administrator
> > 434E Harrington Tower / College of Education
> > Texas A&M University
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Regards,
Ben Kim
Database Developer/Systems Administrator
434E Harrington Tower / College of Education
Texas A&M University
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: disable put, delete
Posted by Tim Funk <fu...@joedog.org>.
If readonly is set to true, then PUT and DELETE are disabled. The scanning
tool might be expecting a differnet HTTP status code when trying to exploit
PUT and DELETE.
-Tim
Ben Kim wrote:
>>It should already be disabled. See the configuration of the DefaultServlet in
>> $CATALINA_HOME/conf/web.xml
>
>
> I'd appreciate more advice.
>
> I've tested it myself and it didn't work. My nessus also says it could not
> exploit it but recommends I disable it.
>
> Here's my DefaultServlet section, all surrounded by <!-- --> line by line,
> from the $CATALINA_HOME/conf/web.xml.
>
> Am I right to interpret this as saying that "readonly" is [true] by
> default (hence commented out) for DefaultServlet, so that any DELETE or
> PUT attempt is rejected?
>
> ===================================================================
>
> The default servlet for all web applications, that serves static
> servlets with servlet mappings (defined either here or in your own
> web.xml file. This servlet supports the following initialization
> parameters (default values are in square brackets):
> ...
> readonly Is this context "read only", so HTTP commands like PUT and
> DELETE are rejected? [true]
>
> ====================================================================
>
> So, could I say it's been already disabled in 5.0.28 and nessus's finding
> is wrong?
>
> I need to either correct this problem, or submit an explanation of why it
> is not necessary, to my security folks, so would appreciate some kind of
> confirmation from anyone knowledgeable.
>
>
> Thanks,
>
> Ben Kim
> Database Developer/Systems Administrator
> 434E Harrington Tower / College of Education
> Texas A&M University
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: disable put, delete
Posted by Ben Kim <bk...@coe.tamu.edu>.
> It should already be disabled. See the configuration of the DefaultServlet in
> $CATALINA_HOME/conf/web.xml
I'd appreciate more advice.
I've tested it myself and it didn't work. My nessus also says it could not
exploit it but recommends I disable it.
Here's my DefaultServlet section, all surrounded by <!-- --> line by line,
from the $CATALINA_HOME/conf/web.xml.
Am I right to interpret this as saying that "readonly" is [true] by
default (hence commented out) for DefaultServlet, so that any DELETE or
PUT attempt is rejected?
===================================================================
The default servlet for all web applications, that serves static
servlets with servlet mappings (defined either here or in your own
web.xml file. This servlet supports the following initialization
parameters (default values are in square brackets):
...
readonly Is this context "read only", so HTTP commands like PUT and
DELETE are rejected? [true]
====================================================================
So, could I say it's been already disabled in 5.0.28 and nessus's finding
is wrong?
I need to either correct this problem, or submit an explanation of why it
is not necessary, to my security folks, so would appreciate some kind of
confirmation from anyone knowledgeable.
Thanks,
Ben Kim
Database Developer/Systems Administrator
434E Harrington Tower / College of Education
Texas A&M University
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: disable put, delete
Posted by Tim Funk <fu...@joedog.org>.
It should already be disabled. See the configuration of the DefaultServlet in
$CATALINA_HOME/conf/web.xml
-Tim
Ben Kim wrote:
> I'm running 5.0.28 and when I ran nessus scan, it gives me a warning about
> put and delete methods.
>
> I'm not sure how I should take it... It seems it's not applicable but
> nessus still gives the warning.
>
> Could anyone advise whether tomcat configuration needs to be fixed, and
> then how? (The BID was not straightforward to me.)
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org