page counter next up previous contents
Next: CVE-2015-0235 Up: 漏洞處理 Previous: CVSS: 7.5   Contents   DYWANG_HOME

CVSS: 5.8

  1. Debugging functions are enabled on the remote HTTP server.
  2. The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.
  3. Solution: Disable these methods. 
    [root@dywH kvm8]# vim /etc/httpd/conf/httpd.conf
......
LoadModule rewrite_module modules/mod_rewrite.so
....
TraceEnabled Off

## OR
...
# disable TRACE in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>


De-Yu Wang 2020-05-19