[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Don't believe the Hype - ws TRACE flaw



If anyone caught the "Sky is falling" press release from WhiteHat Security...

> Santa Clara, Calif., Jan. 20, 2003 -- WhiteHat Security, Inc. a Santa Clara,
> 
> California based company that specializes in Web Application Security, has 
> discovered a serious security flaw affecting all web server world wide. From
> 
> months of extensive research and testing, WhiteHat has found a way to
> exploit 
> a flaw in the way all web servers communicate.
> 
> http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt

That's only the press release. More links (incl. the whitepaper) and
some thoughts about that in the thread on bugtraq:

http://online.securityfocus.com/archive/1/308161/2003-01-21/2003-01-27/1

And for all those running Apache, Doug Monroe noted:
> Jeremiah Grossman wrote:
> > WhiteHat Security has released a new white paper discussing a new class
> > of web-app-sec attack (XST) which potentially affects all web servers
> > supporting TRACE.
> 
> thanks for the interesting findings. 
> Respectfully- the apache solution proposed by RFP in the "Server Specific
> Recommendation" might alternatively be crafted as:
>   RewriteEngine on
>   RewriteCond %{REQUEST_METHOD}  !^(GET|POST)$
>   RewriteRule .* - [F]

There you have it. Three lines in your httpd.conf and problem solved.

The short explanation is that it's an exploit using the "TRACE"
command to your webserver instead of GET, POST, HEAD, etc.. So, the
solution is as simple as configuring the Apache rewrite engine to
dump any request other than what you allow (GET or POST in the above).

If you aren't using Apache, well, you're SOL and will have to find a
solution elsewhere.

Mike808/ 


---------------------------------------------
http://www.valuenet.net



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.