httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Recompiling Without HTTP TRACE
Date Thu, 04 Dec 2003 15:03:20 GMT

On Wed, 3 Dec 2003, Aaron W Morris wrote:
> Joshua, please give it up.  Your jihad against the idea of disabling
> TRACE well meant, I realize, but utterly foolish.  People are not
> disabling TRACE because they *want* to; the decision has already been
> made.  They *have* to do it.

Hmmm... I should stop telling people the truth about the issue?  Seems
like a strange request.

> It is hard enough to fight an idea with hard evidence.  It is a hell of
> a lot harder when all you have is what some guy says on a mailing list
> and a couple of USENET postings (some of which by the same guy).

Where is the evidence that TRACE *is* a security vulnerability?

This is exactly the kind of cargo cult [1] that we need to fight.
If you let them go, people keep repeating them until the repetition itself
makes them seem like truth.

You are absolutely correct that you shouldn't trust my word for it or what
you read in some email from some random person.  But that is not what I
said.  I said to go look it up, and I provided an example on where to
start.  Go read the *complete* thread from bugtraq or go read the
discussion from the dev@httpd.apache.org mailing list.

Or check the credentials on the people you are reading.
This email:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-01/0233.html
was written by Marc Slemko, one of the foremost experts on Cross-site
scripting (of wich the alleged TRACE vulnerability is a variation) and a
member of the Apache core development group.

This article:
http://www.apacheweek.com/issues/03-01-24#news
was written by Mark J Cox, head of Redhat's security response team and an
Apache core developer.

Joshua.

[1] http://www.physics.brocku.ca/etc/cargo_cult_science.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message