I was playing around with OSSIM and I did a vulnerability scan on my HDA and it came up with the below
Synopsis:
Debugging functions are enabled on the remote HTTP server.
Description:
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution:
Disable these methods.
See also:
http://www.kb.cert.org/vuls/id/867593
Plugin output:
Solution:
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
CVSS Base Score : 5.8
Is this something that is well known and I was dumb enough to not change it or will adding those lines break the hda web services?
Cross Site Tracing Vulnerability
Re: Cross Site Tracing Vulnerability
If you don't have your HDA exposed to outside your network, this is irrelevant. Not sure if it will break anything without testing first though.
ßîgƒσστ65
Applications Manager
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2
Applications Manager
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2
Who is online
Users browsing this forum: No registered users and 16 guests