1620815 - How to disable Tomcat WEBDAV ?

SAP Knowledge Base Article - Public

1620815 - How to disable Tomcat WEBDAV ?

Symptom

  • Sometimes URL scan tools like AppScan report a Medium Vulnerability on Tomcat application server's WEBDAV servlet.
  • Suggested Remediation Tasks: Disable WebDAV, or disallow unneeded HTTP methods
  • Suggested Reasoning: The Allow header revealed that hazardous HTTP Options are allowed, indicating that WebDAV is enabled on the server.

 

Environment

Window 2008 platform
XI3.1 SP3 FP3.4
IBM Rational AppScan 8.0.0.2
BurpSuite Pro v1.3.09
IE 8.0.6001.18702CO

Resolution

  • Tomcat WEBDAV servlet is not part of Business Objects Enterprise web applications. 
  • BusinessObjects Web applications do not use the WEBDAV servlet.
  • As such, the WEBDAV folder found in Tomcat\Webapps can be safely deleted without affecting other BusinessObjects Enterprise functionality.

Keywords

Tomcat webdav security vulnerability XI3.1 , KBA , BI-BIP-DEP , SBOP Web Application Deployment, Wdeploy , Problem

Product

Crystal Reports 2008 V0