On Wed, Jan 22, 2003 at 02:47:58PM -0800, Jerry Asher wrote:
<snip>
> It goes away entirely if the server doesn't implement TRACE. It will
> not cause cross site leakage unless your browser already has a cross
> site leakage bug in it. IE currently does. Other browsers may or may
> not have bugs. When will you be secure that your browser has none of
> these bugs?
Ugh.
<snip>
> The news article claims that Apache needs a patch and can't just be
> configured to not implement TRACE. Does anyone know if that is so?
Think I found a way to work around the problem using Apache's mod_rewrite
(something that may be good to add to OpenACS' request processor). By
adding the lines below (with mod_rewrite being loaded) to the VirtualHost
section, the server should send a Forbidden response.
Weirdly, I get a Bad request (the same request works fine if I take the
rewrite rules off), but at least the TRACE isn't completed.
# RBM: 2002-01-22. Kill TRACE exploits.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
-Roberto
--
+----| Roberto Mello - http://www.brasileiro.net/ |------+
+ Computer Science Graduate Student, Utah State University +
+ USU Free Software & GNU/Linux Club - http://fslc.usu.edu/ +
What you end up with, after running an operating system concept through
these many marketing coffee filters, is something not unlike plain hot
water.
-- Matt Welsh
