On Wed, Jan 22, 2003 at 02:47:58PM -0800, Jerry Asher wrote: <snip>
> It goes away entirely if the server doesn't implement TRACE. It will > not cause cross site leakage unless your browser already has a cross > site leakage bug in it. IE currently does. Other browsers may or may > not have bugs. When will you be secure that your browser has none of > these bugs? Ugh. <snip> > The news article claims that Apache needs a patch and can't just be > configured to not implement TRACE. Does anyone know if that is so? Think I found a way to work around the problem using Apache's mod_rewrite (something that may be good to add to OpenACS' request processor). By adding the lines below (with mod_rewrite being loaded) to the VirtualHost section, the server should send a Forbidden response. Weirdly, I get a Bad request (the same request works fine if I take the rewrite rules off), but at least the TRACE isn't completed. # RBM: 2002-01-22. Kill TRACE exploits. RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* [F] -Roberto -- +----| Roberto Mello - http://www.brasileiro.net/ |------+ + Computer Science Graduate Student, Utah State University + + USU Free Software & GNU/Linux Club - http://fslc.usu.edu/ + What you end up with, after running an operating system concept through these many marketing coffee filters, is something not unlike plain hot water. -- Matt Welsh