Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 28805

Summary: Apache cross-site-scripting attacks
Product: Gentoo Linux Reporter: Brett Simpson <simpsonb>
Component: New packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED DUPLICATE    
Severity: critical    
Priority: High    
Version: 1.4   
Hardware: All   
OS: Linux   
URL: http://apache.org
Whiteboard:
Package list:
Runtime testing required: ---

Description Brett Simpson 2003-09-15 09:55:46 UTC 
Issue: Apache supports the TRACE and/or TRACK methods by default. It has been 
shown that servers supporting this method are subject to cross-site-scripting attacks, 
dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various 
weaknesses in browsers. An attacker may use this flaw to obtain the credentials of a 
legitimate user. 
 
Solution: Disable these methods by adding the following lines for each virtual host in 
httpd.conf: 
 
RewriteEngine on 
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
RewriteRule .* - [F] 
 
Could the above lines be added to the apache.conf?
Comment 1 SpanKY gentoo-dev 2003-09-15 10:07:40 UTC 

*** This bug has been marked as a duplicate of 26529 ***