httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <jc...@listingbook.com>
Subject Re: [users@httpd] TRACE feature
Date Thu, 28 Aug 2003 17:39:42 GMT
> It never ceases to amaze me how all the big-brained people who generate
RFCs
> are so naive that they tend to overlook basic security issues, as
evidenced
> once again with the "TRACE" feature of the HTTP 1.1 protocol. .

I don't really even understand why this is a problem.

The HTTP spec has these features because they're useful.  The original goal
of the web was to have online storage of documents that you could go back
and edit/move/whatever without using FTP.  Because of that, there are MANY
potentially insecure features of the HTTP spec: Allow: GET, HEAD, POST, PUT,
DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE,
LOCK, UNLOCK, TRACE.

To tell what your server accepts, type this:

> telnet www.yourserver.com 80
Trying 127.0.0.1...
Connected to www.yourserver.com.
Escape character is '^]'.

OPTIONS / HTTP/1.1
Host: www.yourserver.com
[enter][enter]

It will come back with a list like above.

Fact is, there aren't any worms out there that take advantage of this
exploit, there really isn't much you can do with this exploit other than see
what your browser is sending to a server.  Big whoopty do.

-Jacob


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message