You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sachin <sa...@nitman.co.in> on 2013/02/18 16:00:54 UTC
tomcat 7.0.22 - allowTrace="false" not working
Hi,
I want to disable http TRACE method in my application which is running on
tomcat 7.0.22 web-server.
Though apache tomcat configuration for http says that it is set to false by
default, it allows TRACE. I tried setting it to false specifically, but
still it allows.
I searched through your mail archives hosted on 4-5 sites and general web
but could not find a working solution. Please help.
Here is 'connector' (only 1) from my server.xml
<Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
connectionTimeout="20000" allowTrace="false"
redirectPort="8443" />
Thanks & Regards
Sachin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 7.0.22 - allowTrace="false" not working
Posted by Sachin <sa...@nitman.co.in>.
Further to my investigation,
I tried sending TRACE method with telnet
telnet localhost 8080
TRACE / HTTP/1.1
A: b
C: d
Host: localhost
With tomcat 7.0.22, it always returned 'HTTP/1.1 404 Not Found' response,
even with allowTrace="true".
But when I tried this with tomcat 5,
1. by default it gave me 200 (OK), which suggests TRACE is allowed by
default.
2. after adding allowTrace="false", it returned a nice 'HTTP/1.1 403 TRACE
method is not allowed'
So, in short, tomcat 5 gave me the described behavior correctly, but not
tomcat 7 with this approach.
Thanks & Regards
Sachin
-----Original Message-----
From: Sachin [mailto:sachin@nitman.co.in]
Sent: Tuesday, February 19, 2013 8:14 AM
To: 'Tomcat Users List'
Subject: RE: tomcat 7.0.22 - allowTrace="false" not working
Thanks Mark n Nick.
As far as I see from w3af documentation, they are looking into options to
show the allowedMethods. (As Nick guessed)
Mark,
Can you suggest me an alternate way to prove that TRACE is not allowed on my
webserver, if that's a possibly false positive.
Thanks & Regards
Sachin
-----Original Message-----
From: Nick Williams [mailto:nicholas@nicholaswilliams.net]
Sent: Tuesday, February 19, 2013 12:47 AM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
On Feb 18, 2013, at 1:11 PM, Mark Thomas wrote:
> On 18/02/2013 19:03, Nick Williams wrote:
>> On Feb 18, 2013, at 12:55 PM, Mark Thomas wrote:
>>
>>> On 18/02/2013 18:19, Sachin wrote:
>>>> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what
our
>>>> security certifying vendor tests application against.
>>>>
>>>> And it logs - The URL "http://localhost:8080/app/" has the following
>>>> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was
found
>>>> in the request with id 19.
>>>
>>> That looks like a false positive although I'm not sure how it is
happening. You'd have to dig into the test to look at the HTTP request and
response headers to see what is goign on.
>>>
>>> Mark
>>
>> IIRC, I think I witnessed a while back Tomcat report that TRACE was
allowed in an OPTIONS request, but then refuse the request when an actual
TRACE was made. I've also seen this happen with PUT. Perhaps w3af is taking
the OPTIONS response at face value instead of actually testing whether a
TRACE request is allowed? I would suggest that w3af should do both, but I
would also suggest that Tomcat should not include TRACE in the OPTIONS
response if TRACE is really disallowed, and likewise for the other methods.
>
> No supported Tomcat version has behaved that way for over three years
including the entire of the 7.0.x branch.
>
> Mark
Okay. This was a couple of years ago that I saw this, and it was Tomcat 6.0
at the time, so that would probably explain why I saw what I saw. It would
not explain the false positive he is seeing on 7.0.22, since the entire
7.0.x branch has handled this correctly.
Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 7.0.22 - allowTrace="false" not working
Posted by Sachin <sa...@nitman.co.in>.
Thanks Mark n Nick.
As far as I see from w3af documentation, they are looking into options to
show the allowedMethods. (As Nick guessed)
Mark,
Can you suggest me an alternate way to prove that TRACE is not allowed on my
webserver, if that's a possibly false positive.
Thanks & Regards
Sachin
-----Original Message-----
From: Nick Williams [mailto:nicholas@nicholaswilliams.net]
Sent: Tuesday, February 19, 2013 12:47 AM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
On Feb 18, 2013, at 1:11 PM, Mark Thomas wrote:
> On 18/02/2013 19:03, Nick Williams wrote:
>> On Feb 18, 2013, at 12:55 PM, Mark Thomas wrote:
>>
>>> On 18/02/2013 18:19, Sachin wrote:
>>>> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what
our
>>>> security certifying vendor tests application against.
>>>>
>>>> And it logs - The URL "http://localhost:8080/app/" has the following
>>>> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was
found
>>>> in the request with id 19.
>>>
>>> That looks like a false positive although I'm not sure how it is
happening. You'd have to dig into the test to look at the HTTP request and
response headers to see what is goign on.
>>>
>>> Mark
>>
>> IIRC, I think I witnessed a while back Tomcat report that TRACE was
allowed in an OPTIONS request, but then refuse the request when an actual
TRACE was made. I've also seen this happen with PUT. Perhaps w3af is taking
the OPTIONS response at face value instead of actually testing whether a
TRACE request is allowed? I would suggest that w3af should do both, but I
would also suggest that Tomcat should not include TRACE in the OPTIONS
response if TRACE is really disallowed, and likewise for the other methods.
>
> No supported Tomcat version has behaved that way for over three years
including the entire of the 7.0.x branch.
>
> Mark
Okay. This was a couple of years ago that I saw this, and it was Tomcat 6.0
at the time, so that would probably explain why I saw what I saw. It would
not explain the false positive he is seeing on 7.0.22, since the entire
7.0.x branch has handled this correctly.
Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Nick Williams <ni...@nicholaswilliams.net>.
On Feb 18, 2013, at 1:11 PM, Mark Thomas wrote:
> On 18/02/2013 19:03, Nick Williams wrote:
>> On Feb 18, 2013, at 12:55 PM, Mark Thomas wrote:
>>
>>> On 18/02/2013 18:19, Sachin wrote:
>>>> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
>>>> security certifying vendor tests application against.
>>>>
>>>> And it logs - The URL "http://localhost:8080/app/" has the following
>>>> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
>>>> in the request with id 19.
>>>
>>> That looks like a false positive although I'm not sure how it is happening. You'd have to dig into the test to look at the HTTP request and response headers to see what is goign on.
>>>
>>> Mark
>>
>> IIRC, I think I witnessed a while back Tomcat report that TRACE was allowed in an OPTIONS request, but then refuse the request when an actual TRACE was made. I've also seen this happen with PUT. Perhaps w3af is taking the OPTIONS response at face value instead of actually testing whether a TRACE request is allowed? I would suggest that w3af should do both, but I would also suggest that Tomcat should not include TRACE in the OPTIONS response if TRACE is really disallowed, and likewise for the other methods.
>
> No supported Tomcat version has behaved that way for over three years including the entire of the 7.0.x branch.
>
> Mark
Okay. This was a couple of years ago that I saw this, and it was Tomcat 6.0 at the time, so that would probably explain why I saw what I saw. It would not explain the false positive he is seeing on 7.0.22, since the entire 7.0.x branch has handled this correctly.
Nick
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2013 19:03, Nick Williams wrote:
> On Feb 18, 2013, at 12:55 PM, Mark Thomas wrote:
>
>> On 18/02/2013 18:19, Sachin wrote:
>>> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
>>> security certifying vendor tests application against.
>>>
>>> And it logs - The URL "http://localhost:8080/app/" has the following
>>> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
>>> in the request with id 19.
>>
>> That looks like a false positive although I'm not sure how it is happening. You'd have to dig into the test to look at the HTTP request and response headers to see what is goign on.
>>
>> Mark
>
> IIRC, I think I witnessed a while back Tomcat report that TRACE was allowed in an OPTIONS request, but then refuse the request when an actual TRACE was made. I've also seen this happen with PUT. Perhaps w3af is taking the OPTIONS response at face value instead of actually testing whether a TRACE request is allowed? I would suggest that w3af should do both, but I would also suggest that Tomcat should not include TRACE in the OPTIONS response if TRACE is really disallowed, and likewise for the other methods.
No supported Tomcat version has behaved that way for over three years
including the entire of the 7.0.x branch.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Nick Williams <ni...@nicholaswilliams.net>.
On Feb 18, 2013, at 12:55 PM, Mark Thomas wrote:
> On 18/02/2013 18:19, Sachin wrote:
>> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
>> security certifying vendor tests application against.
>>
>> And it logs - The URL "http://localhost:8080/app/" has the following
>> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
>> in the request with id 19.
>
> That looks like a false positive although I'm not sure how it is happening. You'd have to dig into the test to look at the HTTP request and response headers to see what is goign on.
>
> Mark
IIRC, I think I witnessed a while back Tomcat report that TRACE was allowed in an OPTIONS request, but then refuse the request when an actual TRACE was made. I've also seen this happen with PUT. Perhaps w3af is taking the OPTIONS response at face value instead of actually testing whether a TRACE request is allowed? I would suggest that w3af should do both, but I would also suggest that Tomcat should not include TRACE in the OPTIONS response if TRACE is really disallowed, and likewise for the other methods.
My $0.02.
N
>
>
>>
>>
>> Thanks & Regards
>> Sachin
>>
>> -----Original Message-----
>> From: Mark Thomas [mailto:markt@apache.org]
>> Sent: Monday, February 18, 2013 11:34 PM
>> To: Tomcat Users List
>> Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
>>
>> On 18/02/2013 15:00, Sachin wrote:
>>> Hi,
>>>
>>> I want to disable http TRACE method in my application which is running
>>> on tomcat 7.0.22 web-server.
>>> Though apache tomcat configuration for http says that it is set to
>>> false by default, it allows TRACE. I tried setting it to false
>>> specifically, but still it allows.
>>> I searched through your mail archives hosted on 4-5 sites and general
>>> web but could not find a working solution. Please help.
>>>
>>> Here is 'connector' (only 1) from my server.xml
>>>
>>> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
>>> connectionTimeout="20000" allowTrace="false"
>>> redirectPort="8443" />
>>
>> How are you testing this?
>>
>> I just tested 7.0.x trunk and see the documented behaviour. Further, there
>> has been no change in the code that handles this in a number of years.
>>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2013 18:19, Sachin wrote:
> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
> security certifying vendor tests application against.
>
> And it logs - The URL "http://localhost:8080/app/" has the following
> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
> in the request with id 19.
That looks like a false positive although I'm not sure how it is
happening. You'd have to dig into the test to look at the HTTP request
and response headers to see what is goign on.
Mark
>
>
> Thanks & Regards
> Sachin
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Monday, February 18, 2013 11:34 PM
> To: Tomcat Users List
> Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
>
> On 18/02/2013 15:00, Sachin wrote:
>> Hi,
>>
>> I want to disable http TRACE method in my application which is running
>> on tomcat 7.0.22 web-server.
>> Though apache tomcat configuration for http says that it is set to
>> false by default, it allows TRACE. I tried setting it to false
>> specifically, but still it allows.
>> I searched through your mail archives hosted on 4-5 sites and general
>> web but could not find a working solution. Please help.
>>
>> Here is 'connector' (only 1) from my server.xml
>>
>> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
>> connectionTimeout="20000" allowTrace="false"
>> redirectPort="8443" />
>
> How are you testing this?
>
> I just tested 7.0.x trunk and see the documented behaviour. Further, there
> has been no change in the code that handles this in a number of years.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 7.0.22 - allowTrace="false" not working
Posted by Sachin <sa...@nitman.co.in>.
Chris,
I did the test with a html page, and the results are still the same. I guess I can't rely on that test, have to find an alternate way to test.
Thanks & Regards
Sachin
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, February 22, 2013 6:25 PM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sachin,
On 2/22/13 12:50 AM, Sachin wrote:
> It does access a JSP page. But even I was expecting to stop TRACE by
> specifically adding allowTrace="false". And as I've checked, tomcat 5
> is giving me this behavior properly but not 7.0.22.
Can you repeat your tests with a URL that hits a non-JSP servlet?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEnasEACgkQ9CaO5/Lv0PCvIQCgm/cDEQinRzA1Sc+bBCtv9ZVs
caQAn07fybDnKjgscZE0tk98VeY52AxK
=Oz8b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Technical Support <te...@brainstalk.com>.
Hi,
Im beginner in Linux. Can anyone help me develop my skills in Linux?
Regards
Chak Teylor
On Fri, Feb 22, 2013 at 8:55 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sachin,
>
> On 2/22/13 12:50 AM, Sachin wrote:
> > It does access a JSP page. But even I was expecting to stop TRACE
> > by specifically adding allowTrace="false". And as I've checked,
> > tomcat 5 is giving me this behavior properly but not 7.0.22.
>
> Can you repeat your tests with a URL that hits a non-JSP servlet?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEAREIAAYFAlEnasEACgkQ9CaO5/Lv0PCvIQCgm/cDEQinRzA1Sc+bBCtv9ZVs
> caQAn07fybDnKjgscZE0tk98VeY52AxK
> =Oz8b
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sachin,
On 2/22/13 12:50 AM, Sachin wrote:
> It does access a JSP page. But even I was expecting to stop TRACE
> by specifically adding allowTrace="false". And as I've checked,
> tomcat 5 is giving me this behavior properly but not 7.0.22.
Can you repeat your tests with a URL that hits a non-JSP servlet?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEnasEACgkQ9CaO5/Lv0PCvIQCgm/cDEQinRzA1Sc+bBCtv9ZVs
caQAn07fybDnKjgscZE0tk98VeY52AxK
=Oz8b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 7.0.22 - allowTrace="false" not working
Posted by Sachin <sa...@nitman.co.in>.
Yes Chris,
It does access a JSP page. But even I was expecting to stop TRACE by specifically adding allowTrace="false".
And as I've checked, tomcat 5 is giving me this behavior properly but not 7.0.22.
Thanks & Regards
Sachin
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, February 22, 2013 10:15 AM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sachin,
On 2/18/13 1:19 PM, Sachin wrote:
> I'm testing it with w3af(http://w3af.sourceforge.net) since that's
> what our security certifying vendor tests application against.
>
> And it logs - The URL "http://localhost:8080/app/" has the following
> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was
> found in the request with id 19.
Does the request to /app/ perhaps access a JSP page? IIRC, JSP pages will respond to *any* HTTP method, even non-standard ones like FOOBAR and such. I would have expected allowTrace="false" to stop TRACE specifically, though.
I believe this has recently been clarified in the spec, and JSPs will be (at least by default?) restricted to HEAD, GET, and POST in the next spec release. (Just from memory: I don't have a reference).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEm9+kACgkQ9CaO5/Lv0PDv3gCgsYVdEJDIt/xti7Leg1q0yaSW
R3wAniqfsRofnVNNJHZT9St7iGkf6O/E
=civy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sachin,
On 2/18/13 1:19 PM, Sachin wrote:
> I'm testing it with w3af(http://w3af.sourceforge.net) since that's
> what our security certifying vendor tests application against.
>
> And it logs - The URL "http://localhost:8080/app/" has the
> following allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This
> information was found in the request with id 19.
Does the request to /app/ perhaps access a JSP page? IIRC, JSP pages
will respond to *any* HTTP method, even non-standard ones like FOOBAR
and such. I would have expected allowTrace="false" to stop TRACE
specifically, though.
I believe this has recently been clarified in the spec, and JSPs will
be (at least by default?) restricted to HEAD, GET, and POST in the
next spec release. (Just from memory: I don't have a reference).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEm9+kACgkQ9CaO5/Lv0PDv3gCgsYVdEJDIt/xti7Leg1q0yaSW
R3wAniqfsRofnVNNJHZT9St7iGkf6O/E
=civy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 7.0.22 - allowTrace="false" not working
Posted by Sachin <sa...@nitman.co.in>.
Thanks Konstantin.
That did the trick. I've now added a filter to override response to OPTIONS
request, to not have 'TRACE' in 'Allows' header.
Now the tests shows expected results.
Thanks all for your responses.
Thanks & Regards
Sachin
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Sunday, February 24, 2013 1:58 AM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
2013/2/22 Nick Williams <ni...@nicholaswilliams.net>:
>
>> On Feb 22, 2013, at 7:49 AM, Konstantin Kolinko wrote:
>>
>> One example of false positive is that if you send an OPTIONS request
>> to almost any servlet, the "Allow" header in its response by default
>> will include the TRACE method (as implemented in
>> javax.servlet.http.HttpServlet class).
>
>
> Konstantin, I had said Monday [1] that I had observed Tomcat doing
> that before, but Mark corrected my and pointed out that that was fixed
> in Tomcat three years ago, and that the 7.0.x branch has never behaved
that way.
> *scratches head*
>
> [1]
> http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page:
> 2+mid:bvqkjjps2nvzui3z+state:results
> [2]
> http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page:
> 2+mid:gg2h43ihalbdzi4j+state:results
>
1. Please try to do not use HTML formatting when sending e-mails to the
list, as said in http://tomcat.apache.org/lists.html
2. In Markmail you can get short and pretty "permanent" URL for a message or
for a thread if you click on "link chain" icon at the top-right above a
message or above a thread. E.g.
[1] -> http://markmail.org/message/bvqkjjps2nvzui3z
[2] -> http://markmail.org/message/gg2h43ihalbdzi4j
3. Response to the "OPTIONS" requests is responsibility of servlets, not of
Tomcat.
The Tomcat's DefaultServlet does not list TRACE in its OPTIONS response.
Other servlets - do.
With 7.0.x, sending
OPTIONS /examples/servlets/servlet/HelloWorldExample HTTP/1.0
results in
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Allow: GET, HEAD, TRACE, OPTIONS
Content-Length: 0
Date: Tue, 19 Feb 2013 10:28:57 GMT
Connection: close
TRACE /examples/servlets/servlet/HelloWorldExample HTTP/1.0
results in
HTTP/1.1 405 Method Not Allowed
Server: Apache-Coyote/1.1
Allow: GET, OPTIONS, HEAD
Content-Length: 0
Date: Tue, 19 Feb 2013 10:38:07 GMT
Connection: close
If anybody is concerned with the OPTIONS response, one easy way to provide
your own response to OPTIONS request is to configure a Filter.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/2/22 Nick Williams <ni...@nicholaswilliams.net>:
>
>> On Feb 22, 2013, at 7:49 AM, Konstantin Kolinko wrote:
>>
>> One example of false positive is that if you send an OPTIONS request
>> to almost any servlet, the "Allow" header in its response by default
>> will include the TRACE method (as implemented in
>> javax.servlet.http.HttpServlet class).
>
>
> Konstantin, I had said Monday [1] that I had observed Tomcat doing that
> before, but Mark corrected my and pointed out that that was fixed in Tomcat
> three years ago, and that the 7.0.x branch has never behaved that way.
> *scratches head*
>
> [1]
> http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page:2+mid:bvqkjjps2nvzui3z+state:results
> [2]
> http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page:2+mid:gg2h43ihalbdzi4j+state:results
>
1. Please try to do not use HTML formatting when sending e-mails to
the list, as said in
http://tomcat.apache.org/lists.html
2. In Markmail you can get short and pretty "permanent" URL for a
message or for a thread if you click on "link chain" icon at the
top-right above a message or above a thread. E.g.
[1] -> http://markmail.org/message/bvqkjjps2nvzui3z
[2] -> http://markmail.org/message/gg2h43ihalbdzi4j
3. Response to the "OPTIONS" requests is responsibility of servlets,
not of Tomcat.
The Tomcat's DefaultServlet does not list TRACE in its OPTIONS
response. Other servlets - do.
With 7.0.x, sending
OPTIONS /examples/servlets/servlet/HelloWorldExample HTTP/1.0
results in
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Allow: GET, HEAD, TRACE, OPTIONS
Content-Length: 0
Date: Tue, 19 Feb 2013 10:28:57 GMT
Connection: close
TRACE /examples/servlets/servlet/HelloWorldExample HTTP/1.0
results in
HTTP/1.1 405 Method Not Allowed
Server: Apache-Coyote/1.1
Allow: GET, OPTIONS, HEAD
Content-Length: 0
Date: Tue, 19 Feb 2013 10:38:07 GMT
Connection: close
If anybody is concerned with the OPTIONS response, one easy way to
provide your own response to OPTIONS request is to configure a Filter.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Nick Williams <ni...@nicholaswilliams.net>.
On Feb 22, 2013, at 7:49 AM, Konstantin Kolinko wrote:
> 2013/2/18 Sachin <sa...@nitman.co.in>:
>> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
>> security certifying vendor tests application against.
>>
>> And it logs - The URL "http://localhost:8080/app/" has the following
>> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
>> in the request with id 19.
>>
>>
>> Thanks & Regards
>> Sachin
>>
>> -----Original Message-----
>> From: Mark Thomas [mailto:markt@apache.org]
>> Sent: Monday, February 18, 2013 11:34 PM
>> To: Tomcat Users List
>> Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
>>
>> On 18/02/2013 15:00, Sachin wrote:
>>> Hi,
>>>
>>> I want to disable http TRACE method in my application which is running
>>> on tomcat 7.0.22 web-server.
>>> Though apache tomcat configuration for http says that it is set to
>>> false by default, it allows TRACE. I tried setting it to false
>>> specifically, but still it allows.
>>> I searched through your mail archives hosted on 4-5 sites and general
>>> web but could not find a working solution. Please help.
>>>
>>> Here is 'connector' (only 1) from my server.xml
>>>
>>> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
>>> connectionTimeout="20000" allowTrace="false"
>>> redirectPort="8443" />
>
>
> The TRACE method vulnerability occurs only if a web server produces
> proper TRACE response, which includes an echo of original request. See
> http://www.kb.cert.org/vuls/id/867593
>
> If that scanner detects anything else than such response, it is a mere
> false positive.
>
> One example of false positive is that if you send an OPTIONS request
> to almost any servlet, the "Allow" header in its response by default
> will include the TRACE method (as implemented in
> javax.servlet.http.HttpServlet class).
Konstantin, I had said Monday [1] that I had observed Tomcat doing that before, but Mark corrected my and pointed out that that was fixed in Tomcat three years ago, and that the 7.0.x branch has never behaved that way. *scratches head*
[1] http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page:2+mid:bvqkjjps2nvzui3z+state:results
[2] http://tomcat.markmail.org/search/?q=allowTrace#query:allowTrace+page:2+mid:gg2h43ihalbdzi4j+state:results
>
> If allowTrace="false" (as it is by default), Tomcat will stop any
> TRACE request before it reaches the web application.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/2/18 Sachin <sa...@nitman.co.in>:
> I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
> security certifying vendor tests application against.
>
> And it logs - The URL "http://localhost:8080/app/" has the following
> allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
> in the request with id 19.
>
>
> Thanks & Regards
> Sachin
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Monday, February 18, 2013 11:34 PM
> To: Tomcat Users List
> Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
>
> On 18/02/2013 15:00, Sachin wrote:
>> Hi,
>>
>> I want to disable http TRACE method in my application which is running
>> on tomcat 7.0.22 web-server.
>> Though apache tomcat configuration for http says that it is set to
>> false by default, it allows TRACE. I tried setting it to false
>> specifically, but still it allows.
>> I searched through your mail archives hosted on 4-5 sites and general
>> web but could not find a working solution. Please help.
>>
>> Here is 'connector' (only 1) from my server.xml
>>
>> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
>> connectionTimeout="20000" allowTrace="false"
>> redirectPort="8443" />
The TRACE method vulnerability occurs only if a web server produces
proper TRACE response, which includes an echo of original request. See
http://www.kb.cert.org/vuls/id/867593
If that scanner detects anything else than such response, it is a mere
false positive.
One example of false positive is that if you send an OPTIONS request
to almost any servlet, the "Allow" header in its response by default
will include the TRACE method (as implemented in
javax.servlet.http.HttpServlet class).
If allowTrace="false" (as it is by default), Tomcat will stop any
TRACE request before it reaches the web application.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat 7.0.22 - allowTrace="false" not working
Posted by Sachin <sa...@nitman.co.in>.
I'm testing it with w3af(http://w3af.sourceforge.net) since that's what our
security certifying vendor tests application against.
And it logs - The URL "http://localhost:8080/app/" has the following
allowed methods: GET, HEAD, OPTIONS, POST, TRACE. This information was found
in the request with id 19.
Thanks & Regards
Sachin
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, February 18, 2013 11:34 PM
To: Tomcat Users List
Subject: Re: tomcat 7.0.22 - allowTrace="false" not working
On 18/02/2013 15:00, Sachin wrote:
> Hi,
>
> I want to disable http TRACE method in my application which is running
> on tomcat 7.0.22 web-server.
> Though apache tomcat configuration for http says that it is set to
> false by default, it allows TRACE. I tried setting it to false
> specifically, but still it allows.
> I searched through your mail archives hosted on 4-5 sites and general
> web but could not find a working solution. Please help.
>
> Here is 'connector' (only 1) from my server.xml
>
> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
> connectionTimeout="20000" allowTrace="false"
> redirectPort="8443" />
How are you testing this?
I just tested 7.0.x trunk and see the documented behaviour. Further, there
has been no change in the code that handles this in a number of years.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.22 - allowTrace="false" not working
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2013 15:00, Sachin wrote:
> Hi,
>
> I want to disable http TRACE method in my application which is running on
> tomcat 7.0.22 web-server.
> Though apache tomcat configuration for http says that it is set to false by
> default, it allows TRACE. I tried setting it to false specifically, but
> still it allows.
> I searched through your mail archives hosted on 4-5 sites and general web
> but could not find a working solution. Please help.
>
> Here is 'connector' (only 1) from my server.xml
>
> <Connector port="8080" protocol="HTTP/1.1" server="SACHIN"
> connectionTimeout="20000" allowTrace="false"
> redirectPort="8443" />
How are you testing this?
I just tested 7.0.x trunk and see the documented behaviour. Further,
there has been no change in the code that handles this in a number of years.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org