Actually if you query the Zope web service to see what it supports it tells you: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK TRACE allows for some XSS problems and I just want to make sure I have the server locked down against as many vulnerbilities as I can. I can not find any mention of the Zope Web Server supporting TRACE so I am trying to find out if it actually does support it or if its just reacting to the query. The tool I used is called Nikto, its just an HTTP assult tool. It looks through a predefined list like Nessus, but restricts its self to possible HTTP issues. It also plays a lot nicer on a network :) Jay -----Original Message----- From: Chris Withers [mailto:chris@simplistix.co.uk] Sent: Friday, March 11, 2005 10:35 AM To: Jay Zeemer Cc: 'zope@zope.org' List Mailing Subject: Re: [Zope] Does Zope support HTTP Trace method?? Jay Zeemer wrote:
In a lot of HTTP servers there is a method used for debugging sessions and such called TRACE. Does Zope support this?? And if so is it active, or inactive by default?? How can I turn this on and off??
I'm not aware of any TRACE support in Zope. You run it behind Apache maybe? You been poking with Nessus? ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk