Integration

we have received from the external vendor penetration test results stating

Dangerous Http methods like PUT, DELETE, MCKOL, LOCK, MOVE allows a remote user to upload files, delete files, Create directories and lock files on the web server. Kindly disable the Dangerous methods. If these methods are required, then restrict or deactivate access.

we have iplanet version 7 update 9.

But I have uncomment the #Service method="TRACE" fn="service-trace" in obj.conf also my default acl is

version 3.0;
acl "default";
authenticate (user, group) {
prompt = "Sun ONE Web Server";
};
deny absolute (http_trace,http_put,http_delete,http_move,http_mkdir,http_rmdir)
user = "anyone";
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";

acl "es-internal";
deny absolute (http_trace,http_put,http_delete,http_move,http_mkdir,http_rmdir)
user = "anyone";
allow (read, execute, info) user = "anyone";
deny (list, write, delete) user = "anyone";

in the logs i am getting

- - [21/Feb/2011:09:32:43 +0400] "GET /expired.htm HTTP/1.1" 200 656
- - [21/Feb/2011:09:32:43 +0400] "GET /xZ2fR5.html HTTP/1.1" 302 1188
- - [21/Feb/2011:09:32:43 +0400] "GET /expired.htm HTTP/1.1" 200 656
- - [21/Feb/2011:09:32:43 +0400] "GET / HTTP/9.8" 505 196
- - [21/Feb/2011:09:32:43 +0400] "HEAD / HTTP/1.1" 200 0
- - [21/Feb/2011:09:32:44 +0400] "OPTIONS / HTTP/1.1" 200 0
- - [21/Feb/2011:09:32:44 +0400] "DELETE / HTTP/1.1" 403 142
- - [21/Feb/2011:09:32:44 +0400] "TEST / HTTP/1.1" 501 148
- - [21/Feb/2011:09:32:44 +0400] "GET /etc/passwd?format=%%%&xss="><script>alert('xss');</script>&traversal=
../../&sql='%20OR%200;" 302 1196
- - [21/Feb/2011:09:32:44 +0400] "GET /etc/expired.htm HTTP/1.1" 302 1196

instead of 405 we are getting 403 errot

can any one please tell me whether this settings are ok ?