bugzilla at apache
Nov 24, 2009, 3:25 PM
Post #1 of 1
(235 views)
Permalink
|
|
[Bug 48277] New: TraceEnable directive not secure by default
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=48277
Summary: TraceEnable directive not secure by default
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: bugs [at] httpd
ReportedBy: marsh [at] extendedsubset
HTTP has long defined a TRACE verb.
A well-known paper on web security from 2003
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
clearly documents the opportunities for evil provided by TRACE.
Web security scanners warn when TRACE is enabled:
http://nessus.org/plugins/index.php?view=single&id=11213
My recent attack on TLS/SSL
http://extendedsubset.com/Renegotiating_TLS.pdf
highlights the need to disable TRACE. Having TRACE enabled may allow an
attacker to leverage the blind plaintext injection attack into arbitrary evil
script running in the browser from the origin of the target website.
Apache provides a configuration directive to disable TRACE.
http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
However, the default setting leaves it in the enabled, insecure configuration.
It is time to set the default to the secure configuration.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
