Http Trace.
Martin P. Hansen
mph at lima.dyndns.dk
Fri Dec 23 17:09:41 PST 2005
On Fri, 23 Dec 2005, Payne wrote:
> I am running 4.10 and I am wondering if this effect me.
>
> http://www.kb.cert.org/vuls/id/867593 Payne'
Quoted http://www.kb.cert.org/vuls/id/867593:
Attackers may abuse HTTP TRACE functionality to gain access to
information in HTTP headers such as cookies and authentication data.
In the presence of other cross-domain vulnerabilities in web browsers,
sensitive header information could be read from any domains that
support the HTTP TRACE method.
Most likely it wont, but it is hard to judge from your information.
I imagine you are running FreeBSD 4.10 but this is an httpserver
issue so you might want to note which httpserver you are using.
As I understand it: They wont compromise a server using this. It
is a client side issue. If you have customers using badly written
httpclients however, they might be impersonated using this cross-site
scripting combined with HTTP TRACE. So to protect these customers
you might want to disable HTTP TRACE.
You can test wether you server supports TRACE by:
mph% telnet www.apache.org 80
TRACE / HTTP/1.1
Host: www.apache.org
(blank)
Replace www.apache.org with your own server name. If first line in
the response is 400 it doesn't.
For FreeBSD advisories subscribe to the security-advisories mailing
list. And follow the advisories for you software (e.g. apache).
--
Martin P. Hansen
More information about the freebsd-questions
mailing list