httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48277] TraceEnable directive not secure by default
Date Sat, 28 Nov 2009 22:35:16 GMT

Will Rowe <> changed:

           What    |Removed                     |Added
           Keywords|                            |FAQ
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Will Rowe <> 2009-11-28 14:35:12 UTC ---
[Tagging FAQ for clarification]

TRACE is not a vulnerability, any more than traceroute or ping would be
issues.  It is simply a tool, and the HTTP project will not disable such tools
by default.  The RFC spells out that servers SHOULD implement, therefore we do.

Now, there are entirely moronic clients and programmatic interfaces; old, stale
and badly designed flavors of Microsoft Internet Explorer and Adobe Flash all
spring to mind, which would present the results of a TRACE request to the user.
This is out of the server developers hands, and there are other sinister flaws
hiding in those design errors which 'TraceEnable off' has no effect on.

So marked as an FAQ for the justification why the "security communities'"
to address the TRACE directive is entirely invalid.  The serious DoS
would be the reflection of request bodies, which are not enabled by default,
only offered as an 'extended' feature for testing server or routing behavior.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message