From owner-freebsd-questions@FreeBSD.ORG Sat Dec 24 01:09:41 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 246F516A41F for ; Sat, 24 Dec 2005 01:09:41 +0000 (GMT) (envelope-from mph@echobase.hoth.dk) Received: from pfepb.post.tele.dk (pfepb.post.tele.dk [195.41.46.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id B41A043D49 for ; Sat, 24 Dec 2005 01:09:40 +0000 (GMT) (envelope-from mph@echobase.hoth.dk) Received: from echobase.hoth.dk (echobase.hoth.dk [80.62.210.27]) by pfepb.post.tele.dk (Postfix) with ESMTP id 30CB35EE022; Sat, 24 Dec 2005 02:09:26 +0100 (CET) Received: by echobase.hoth.dk (Postfix, from userid 1001) id E9B2D19B3D; Sat, 24 Dec 2005 02:09:25 +0100 (CET) Date: Sat, 24 Dec 2005 02:09:25 +0100 From: "Martin P. Hansen" To: Payne Message-ID: <20051224010925.GA28824@echobase.hoth.dk> Mail-Followup-To: Payne , freebsd-questions@freebsd.org References: <43AC8AA0.6010802@magidesign.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43AC8AA0.6010802@magidesign.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-questions@freebsd.org Subject: Re: Http Trace. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2005 01:09:41 -0000 On Fri, 23 Dec 2005, Payne wrote: > I am running 4.10 and I am wondering if this effect me. > > http://www.kb.cert.org/vuls/id/867593 Payne' Quoted http://www.kb.cert.org/vuls/id/867593: Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. Most likely it wont, but it is hard to judge from your information. I imagine you are running FreeBSD 4.10 but this is an httpserver issue so you might want to note which httpserver you are using. As I understand it: They wont compromise a server using this. It is a client side issue. If you have customers using badly written httpclients however, they might be impersonated using this cross-site scripting combined with HTTP TRACE. So to protect these customers you might want to disable HTTP TRACE. You can test wether you server supports TRACE by: mph% telnet www.apache.org 80 TRACE / HTTP/1.1 Host: www.apache.org (blank) Replace www.apache.org with your own server name. If first line in the response is 400 it doesn't. For FreeBSD advisories subscribe to the security-advisories mailing list. And follow the advisories for you software (e.g. apache). -- Martin P. Hansen