http TRACE XSS attack

Support for security such as Firewalls and securing linux
paolinuz
Posts: 18
Joined: 2008/12/15 13:54:54

http TRACE XSS attack

Postby paolinuz » 2009/05/08 15:09:42

Hi all,
I have tested my centos machine with openvas (security assessment free software).
Openvas reported that my web server supports the TRACE and/or TRACK methods.
This method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

The openvas solution is to disabled these method adding the following lines for each virtual host in my configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

I have added this line but the problem persist.....

The secunia website suggest to update the version of httpd from 2.2.52 to 2.2.10 but the centos repository don't have the 2.2.10 version.... but only the 2.2.52.....

Can you help me?

Ps: excuse me for my bad english......

Regards
Paolo

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

http TRACE XSS attack

Postby pschaff » 2009/05/08 15:13:53

paolinuz wrote:
...
The secunia website suggest to update the version of httpd from 2.2.52 to 2.2.10 but the centos repository don't have the 2.2.10 version.... but only the 2.2.52.....
...


Looks like you are saying they are suggesting a downgrade based on the version numbers - generally a bad idea. Can you provide a link to the reference?

paolinuz
Posts: 18
Joined: 2008/12/15 13:54:54

Re: http TRACE XSS attack

Postby paolinuz » 2009/05/11 08:53:07

Hi pschaff,
sorry....I have mistaken....

Really, the secunia website suggest to update the version of httpd from 2.2.x to 2.2.10, but I have the version 2.2.52
I have lost the link to this page and I do not find it.....

Regrads

paolinuz
Posts: 18
Joined: 2008/12/15 13:54:54

Re: http TRACE XSS attack

Postby paolinuz » 2009/05/11 09:49:51

Oops.... excuse me again....
my httpd version of apche is 2.0.52.
Secunia web site suggest to update to version 2.210.
If I lunch yum update, it respond that: No Packages marked for Update/Obsoletion....

Regards