httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnson, Michael" <Michael.John...@aststockplan.com>
Subject RE: RFC TRACE
Date Thu, 23 Jan 2003 15:23:23 GMT
Correct this is from that article. Though similar attacks in the past were
done like this with the echo service. I don't think its overreacting
especially with this article out now im sure a number of people will be
playing with this.

Limit Trace did not work hence myself starting to hack into the source. I
did not see a way to override the defaults in the config... though in
iplanet you can disable this unlike the article notes.

-MJ


> -----Original Message-----
> From: Edward S. Marshall [mailto:esm@logic.net]
> Sent: Thursday, January 23, 2003 10:12 AM
> To: dev@httpd.apache.org
> Subject: Re: RFC TRACE
> 
> 
> On Thu, Jan 23, 2003 at 09:59:53AM -0500, Johnson, Michael wrote:
> > Can Trace be disabled im looking through the source and not 
> seeing a flag to
> > disable this? 
> 
> Let the over-reacting begin. :-P
> 
> (In case someone missed it, the "whitepaper" for what he's 
> reacting to is
> available at http://www.whitehatsec.com/news.html ... which amounts to
> little more than a publicity stunt on the part of WhiteHat Security.)
> 
> To answer the question, I'm sure <Limit TRACE> in the 
> configuration file
> will probably do the right thing in this case, but that's 
> untested on my
> part.
> 
> -- 
> Edward S. Marshall <esm@logic.net>
> http://esm.logic.net/
> 
> Felix qui potuit rerum cognoscere causas.
> 

Mime
View raw message