[28585] in bugtraq
Re: TRACE used to increase the dangerous of XSS.
daemon@ATHENA.MIT.EDU (Doug Monroe)
Thu Jan 23 14:05:08 2003
Message-ID: <3E2F5345.9A9D977A@planetconnect.com>
Date: Wed, 22 Jan 2003 21:28:21 -0500
From: Doug Monroe <doug@planetconnect.com>
MIME-Version: 1.0
To: Jeremiah Grossman <jeremiah@whitehatsec.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Jeremiah Grossman wrote:
>
> WhiteHat Security has released a new white paper discussing a new class
> of web-app-sec attack (XST) which potentially affects all web servers
> supporting TRACE.
thanks for the interesting findings.
Respectfully- the apache solution proposed by RFP in the "Server Specific
Recommendation" might alternatively be crafted as:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST)$
RewriteRule .* - [F]
