httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "alert" <al...@sifycorp.com>
Subject Re: [users@httpd] TRACE/TRACK problem
Date Sat, 07 Aug 2004 11:33:34 GMT
Hi,

I am also facing the same problem. Can Tell me the reason for this vulnerability 
and give me the soution.

Regards,
Alert


----- Original Message ----- 
From: "Mauricio Cavalcanti" <mauriciopcavalcanti@hotmail.com>
To: <users@httpd.apache.org>
Sent: Thursday, August 05, 2004 6:38 PM
Subject: [users@httpd] TRACE/TRACK problem


> Hi,
> i run nessus and it found a vulnerability called "http TRACE XSS attack" in 
> https (443/tcp).
> 
> Nessus solution is "Disable this methods" and to do it, nessus says:
> 
> "If you are using Apache, add the following lines for each virtual
> host in your configuration file :
> 
>     RewriteEngine on
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]"
> 
> and see:
> http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
> http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
> http://www.kb.cert.org/vuls/id/867593
> 
> I have read many discussions about this "vulnerability".
> 
> I have changed my httpd.conf and run nessus again. The "vulnerability" 
> stills there.
> 
> I have sent an e-mail to nessus group and i receive this:
> 
> "Apache has changed options multiple times over time to handle the
> TRACE request, which is why I suggested you consult an Apache group to
> know what to do and see what works the best with your version of Apache."
> 
> That´s what i´m trying now.
> 
> I´m running apache 1.3.29 in Solaris 8.
> 
> Anyone can help me?
> 
> Thanks in advance,
> Mauricio.
> 
> _________________________________________________________________
> MSN Messenger: converse com os seus amigos online.  
> http://messenger.msn.com.br
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Mime
View raw message