Cross Site Tracing Vulnerability
Posted: Fri Mar 08, 2013 9:29 pm
I was playing around with OSSIM and I did a vulnerability scan on my HDA and it came up with the below
Synopsis:
Debugging functions are enabled on the remote HTTP server.
Description:
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution:
Disable these methods.
See also:
http://www.kb.cert.org/vuls/id/867593
Plugin output:
Solution:
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
CVSS Base Score : 5.8
Is this something that is well known and I was dumb enough to not change it or will adding those lines break the hda web services?
Synopsis:
Debugging functions are enabled on the remote HTTP server.
Description:
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution:
Disable these methods.
See also:
http://www.kb.cert.org/vuls/id/867593
Plugin output:
Solution:
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
CVSS Base Score : 5.8
Is this something that is well known and I was dumb enough to not change it or will adding those lines break the hda web services?