[28591] in bugtraq
Re: TRACE used to increase the dangerous of XSS.
daemon@ATHENA.MIT.EDU (Jeremiah Grossman)
Thu Jan 23 15:50:51 2003
From: Jeremiah Grossman <jeremiah@whitehatsec.com>
To: Doug Monroe <doug@planetconnect.com>
In-Reply-To: <3E2F5345.9A9D977A@planetconnect.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 22 Jan 2003 18:41:18 -0800
Message-Id: <1043289685.1349.661.camel@localhost.localdomain>
Mime-Version: 1.0
On Wed, 2003-01-22 at 18:28, Doug Monroe wrote:
> Jeremiah Grossman wrote:
> >
> > WhiteHat Security has released a new white paper discussing a new class
> > of web-app-sec attack (XST) which potentially affects all web servers
> > supporting TRACE.
>
> thanks for the interesting findings.
> Respectfully- the apache solution proposed by RFP in the "Server Specific
> Recommendation" might alternatively be crafted as:
> RewriteEngine on
> RewriteCond %{REQUEST_METHOD} !^(GET|POST)$
> RewriteRule .* - [F]
>
Cool, that should lock down strange HTTP request methods nicely. We
tried something similar on ISS/Exchange and it turned off some
functionality.
Careful using this type of method if your using Application Servers
which depend on request method other than GET or POST.
