Risk Level: Low
Finding:
Debugging functions are enabling on the remote web server.
Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods, which are use to debug web server connections.
In addition, it has be shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him their credentials.
Recommendation:
Disable these methods on the apache.conf or httpd.conf by
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method by the following line
TraceEnable Off
== TaTsHuYa ==
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment