28805 – Apache cross-site-scripting attacks

Bug 28805 - Apache cross-site-scripting attacks

Summary: Apache cross-site-scripting attacks

Status:	RESOLVED DUPLICATE of bug 26529

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Linux bug wranglers

URL:	http://apache.org
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-15 09:55 UTC by Brett Simpson
Modified:	2005-07-17 13:06 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brett Simpson 2003-09-15 09:55:46 UTC

Issue: Apache supports the TRACE and/or TRACK methods by default. It has been 
shown that servers supporting this method are subject to cross-site-scripting attacks, 
dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various 
weaknesses in browsers. An attacker may use this flaw to obtain the credentials of a 
legitimate user. 
 
Solution: Disable these methods by adding the following lines for each virtual host in 
httpd.conf: 
 
RewriteEngine on 
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
RewriteRule .* - [F] 
 
Could the above lines be added to the apache.conf?

Comment 1 SpanKY gentoo-dev

2003-09-15 10:07:40 UTC


*** This bug has been marked as a duplicate of 26529 ***