next up previous contents
Next: CVE-2015-0235 Up: 漏洞處理 Previous: CVSS: 7.5   Contents

CVSS: 5.8

  1. Debugging functions are enabled on the remote HTTP server.
  2. The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials.
  3. Solution: Disable these methods.
    [root@dywH kvm8]# vim /etc/httpd/conf/httpd.conf
    ......
    LoadModule rewrite_module modules/mod_rewrite.so
    ....
    TraceEnabled Off
    
    ## OR
    ...
    # disable TRACE in the main scope of httpd.conf
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    ...
    <VirtualHost www.example.com>
    ...
    # disable TRACE in the www.example.com virtual host
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    </VirtualHost>
    



2016-06-02