Yesterday Sun posted an alert regarding the exploits and possible temporary solutions until a patch can be released.
Their solution is to disable WebDAV and all digest authentication.
But what if I use digest authentication? Do I really need to disable it? Possibly not. The HEAD, GET and POST methods do not seem to be affected by the overflow exploits. Therefore if I block all the other methods EXCEPT those three, I should still be able to do digest authentication. Only problem is knowing every other possible method available in Sun’s web server.
Well, maybe you don’t need to know them all. You might try this:
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
What this does is if the method being handled is GET, POST or HEAD then nothing happens here. But if it’s something else, it gets rejected with a “method not implemented (501)” error. I couldn’t find a logical not wildcard pattern operator in the administrator’s guide (“!=” is a numercial not and will not work on strings), which is why there’s an empty IF block. Hey, it works, and remember it’s only temporary.
So if your a SJSWS person, I hope this helps a little bit.
It makes me wonder if I should ditch SJSWS entirely.