Incidentally, Apache/1.3.26, the version shipped with Debian 3.0, DOES
implement TRACE.
On Wed, Jan 22, 2003 at 01:04:36PM -0800, Jade Rubick wrote:
Does Aolserver implement the TRACE command?
http://www.extremetech.com/article2/0,3973,841047,00.asp
I just pointed that out to my management chain and the other groups in my organization who use Apache and IIS. Here's the message I sent:
========= CUT HERE ========
If you aren't already aware, there appears to be a serious cross-site vulnerability that uses the TRACE HTTP method to do its dirty work. This vulnerability is not affected by SSL.
Please read:
http://www.extremetech.com/article2/0,3973,841047,00.asp
I know Apache uses the TRACE method (I just looked at the source code for Apache), but it may not be vulnerable depending on how Apache is configured. I can't determine if IIS is vulnerable, because, well, I don't have the source code.
We use AOLserver for EMIS, which is not vulnerable. I've added extra checking to the EMIS request processor 5 minutes ago to log any attempts to use HTTP methods that we don't accept so we can identify attempts to use TRACE. Here's the piece of code I added to do that:
if {! [regexp -nocase {get|post|head} $http_method]} {
ns_log warning "BAD HTTP METHOD: $http_method from $peer_addr: HTTP REQ=$request"
ns_return 403 text/html [ns_adp_parse -file /emis/pages/errors/errorframe.adp 403]
return filter_return
} else {
ns_log notice "$http_method request for $request from $peer_addr"
}
AOLserver is such a *sweet* web server. You should really consider switching :)
/s.
======= CUT HERE ==========
So, thank you AOL, the AOL dev team, and everyone in the community who uses and has helped maintain and improve AOLserver. You've made my life so much easier.
/s.
