Page 1 of 1

http TRACE XSS attack

Posted: 2009/05/08 15:09:42
by paolinuz
Hi all,
I have tested my centos machine with openvas (security assessment free software).
Openvas reported that my web server supports the TRACE and/or TRACK methods.
This method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

The openvas solution is to disabled these method adding the following lines for each virtual host in my configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

I have added this line but the problem persist.....

The secunia website suggest to update the version of httpd from 2.2.52 to 2.2.10 but the centos repository don't have the 2.2.10 version.... but only the 2.2.52.....

Can you help me?

Ps: excuse me for my bad english......

Regards
Paolo

http TRACE XSS attack

Posted: 2009/05/08 15:13:53
by pschaff
[quote]
paolinuz wrote:
...
The secunia website suggest to update the version of httpd from 2.2.52 to 2.2.10 but the centos repository don't have the 2.2.10 version.... but only the 2.2.52.....
...[/quote]

Looks like you are saying they are suggesting a downgrade based on the version numbers - generally a bad idea. Can you provide a link to the reference?

Re: http TRACE XSS attack

Posted: 2009/05/11 08:53:07
by paolinuz
Hi pschaff,
sorry....I have mistaken....

Really, the secunia website suggest to update the version of httpd from 2.2.x to 2.2.10, but I have the version 2.2.52
I have lost the link to this page and I do not find it.....

Regrads

Re: http TRACE XSS attack

Posted: 2009/05/11 09:49:51
by paolinuz
Oops.... excuse me again....
my httpd version of apche is 2.0.52.
Secunia web site suggest to update to version 2.210.
If I lunch yum update, it respond that: No Packages marked for Update/Obsoletion....

Regards