httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mauricio Cavalcanti" <mauriciopcavalca...@hotmail.com>
Subject [users@httpd] TRACE/TRACK problem
Date Thu, 05 Aug 2004 13:08:50 GMT
Hi,
i run nessus and it found a vulnerability called "http TRACE XSS attack" in 
https (443/tcp).

Nessus solution is "Disable this methods" and to do it, nessus says:

"If you are using Apache, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]"

and see:
http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593

I have read many discussions about this "vulnerability".

I have changed my httpd.conf and run nessus again. The "vulnerability" 
stills there.

I have sent an e-mail to nessus group and i receive this:

"Apache has changed options multiple times over time to handle the
TRACE request, which is why I suggested you consult an Apache group to
know what to do and see what works the best with your version of Apache."

That´s what i´m trying now.

I´m running apache 1.3.29 in Solaris 8.

Anyone can help me?

Thanks in advance,
Mauricio.

_________________________________________________________________
MSN Messenger: converse com os seus amigos online.  
http://messenger.msn.com.br


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message