speedy
06-15-2007, 07:26 AM
TRACE and TRACK are debugging functions that are enabled in most web servers by default. Apache, IIS, etc.
It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution:
Disable these methods.
See Also :
http://www.kb.cert.org/vuls/id/867593
Scroll down to the end of the file, and right above “#<VirtualHost *:80>” add this:
Open your Apache conf file:
nano -w /etc/httpd/conf/httpd.conf # Disable Trace and Track DEBUG functions in apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
Save and exit, then restart apache
/sbin/service httpd restart
It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution:
Disable these methods.
See Also :
http://www.kb.cert.org/vuls/id/867593
Scroll down to the end of the file, and right above “#<VirtualHost *:80>” add this:
Open your Apache conf file:
nano -w /etc/httpd/conf/httpd.conf # Disable Trace and Track DEBUG functions in apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
Save and exit, then restart apache
/sbin/service httpd restart