Hi, I propose to add the following to httpd.conf: # http://www.apacheweek.com/issues/03-01-24#news # When an HTTP TRACE request is sent to a web server that # supports it, that server will respond echoing the data # that is passed to it, including any HTTP headers. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] Below is the thread which has lead me into this issue: On 4/26/06, Jesus Cea <jcea@argo.es> wrote: >>> > You may want to disable the TRACE method in Apache to >>> > prevent cookie stealing. > >> >> Uhm?. That was new to me. How TRACE helps to steal cookies?. See http://www.apacheweek.com/issues/03-01-24#news The basic gist is that the TRACE method (which is built directly into the Apache internals, you can't handle it with your own handler for instance) will echo out all of the cookies back to the caller. This actually is a "vulnerability" if you will in the HTTP protocol, so it's not just an Apache thing. It involves the ability of the new "AJAX" style javascript to get a copy of any of the cookies from a site, and can then send those cookies to a different site. Thus silently stealing your cookies. The safest thing is to simply disable TRACE. The notes for http://issues.apache.org/jira/browse/MODPYTHON-108 contain related information, especially the HttpOnly cookie property. Follow the links mentioned in that note for even more information on the subject. -- Deron Meranda _______________________________________________ Mod_python mailing list Mod_python@modpython.org http://mailman.modpython.org/mailman/listinfo/mod_python
*** This bug has been marked as a duplicate of 26529 ***