Return-Path: 
 <dev-return-35807-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 33813 invoked by uid 500); 23 Jan 2003 15:24:12 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 33799 invoked from network); 23 Jan 2003 15:24:11 -0000
Message-ID: <5BA9C874D66DD511860600034708613E6BFE33@exchastny01.ny.ssmb.com>
From: "Johnson, Michael" <Michael.Johnson@aststockplan.com>
To: "'dev@httpd.apache.org'" <dev@httpd.apache.org>
Subject: RE: RFC TRACE
Date: Thu, 23 Jan 2003 10:23:23 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
X-Scanned-By: MIMEDefang 2.16 (www . roaringpenguin . com / mimedefang)
X-Spam-Rating: 208.185.179.12.available.above.net 1.6.2 0/1000/N

Correct this is from that article. Though similar attacks in the past were
done like this with the echo service. I don't think its overreacting
especially with this article out now im sure a number of people will be
playing with this.

Limit Trace did not work hence myself starting to hack into the source. I
did not see a way to override the defaults in the config... though in
iplanet you can disable this unlike the article notes.

-MJ


> -----Original Message-----
> From: Edward S. Marshall [mailto:esm@logic.net]
> Sent: Thursday, January 23, 2003 10:12 AM
> To: dev@httpd.apache.org
> Subject: Re: RFC TRACE
> 
> 
> On Thu, Jan 23, 2003 at 09:59:53AM -0500, Johnson, Michael wrote:
> > Can Trace be disabled im looking through the source and not 
> seeing a flag to
> > disable this? 
> 
> Let the over-reacting begin. :-P
> 
> (In case someone missed it, the "whitepaper" for what he's 
> reacting to is
> available at http://www.whitehatsec.com/news.html ... which amounts to
> little more than a publicity stunt on the part of WhiteHat Security.)
> 
> To answer the question, I'm sure <Limit TRACE> in the 
> configuration file
> will probably do the right thing in this case, but that's 
> untested on my
> part.
> 
> -- 
> Edward S. Marshall <esm@logic.net>
> http://esm.logic.net/
> 
> Felix qui potuit rerum cognoscere causas.
>