Date: Sat, 24 Dec 2005 02:09:25 +0100 From: "Martin P. Hansen" <mph@lima.dyndns.dk> To: Payne <payne@magidesign.com> Cc: freebsd-questions@freebsd.org Subject: Re: Http Trace. Message-ID: <20051224010925.GA28824@echobase.hoth.dk> In-Reply-To: <43AC8AA0.6010802@magidesign.com> References: <43AC8AA0.6010802@magidesign.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Dec 2005, Payne wrote: > I am running 4.10 and I am wondering if this effect me. > > http://www.kb.cert.org/vuls/id/867593 Payne' Quoted http://www.kb.cert.org/vuls/id/867593: Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. Most likely it wont, but it is hard to judge from your information. I imagine you are running FreeBSD 4.10 but this is an httpserver issue so you might want to note which httpserver you are using. As I understand it: They wont compromise a server using this. It is a client side issue. If you have customers using badly written httpclients however, they might be impersonated using this cross-site scripting combined with HTTP TRACE. So to protect these customers you might want to disable HTTP TRACE. You can test wether you server supports TRACE by: mph% telnet www.apache.org 80 TRACE / HTTP/1.1 Host: www.apache.org (blank) Replace www.apache.org with your own server name. If first line in the response is 400 it doesn't. For FreeBSD advisories subscribe to the security-advisories mailing list. And follow the advisories for you software (e.g. apache). -- Martin P. Hansen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051224010925.GA28824>