httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48277] TraceEnable directive not secure by default
Date Sat, 28 Nov 2009 22:35:16 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48277

Will Rowe <wrowe@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FAQ
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Will Rowe <wrowe@apache.org> 2009-11-28 14:35:12 UTC ---
[Tagging FAQ for clarification]

TRACE is not a vulnerability, any more than traceroute or ping would be
security
issues.  It is simply a tool, and the HTTP project will not disable such tools
by default.  The RFC spells out that servers SHOULD implement, therefore we do.

Now, there are entirely moronic clients and programmatic interfaces; old, stale
and badly designed flavors of Microsoft Internet Explorer and Adobe Flash all
spring to mind, which would present the results of a TRACE request to the user.
This is out of the server developers hands, and there are other sinister flaws
hiding in those design errors which 'TraceEnable off' has no effect on.

So marked as an FAQ for the justification why the "security communities'"
request
to address the TRACE directive is entirely invalid.  The serious DoS
consideration
would be the reflection of request bodies, which are not enabled by default,
but
only offered as an 'extended' feature for testing server or routing behavior.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message