Scott Goodwin wrote:
have the source code.We use AOLserver for EMIS, which is not vulnerable. I've added extra checking to the EMIS request processor 5 minutes ago to log any attempts to use HTTP methods that we don't accept so we can identify attempts to use TRACE. Here's the piece of code I added to do that: if {! [regexp -nocase {get|post|head} $http_method]} { ns_log warning "BAD HTTP METHOD: $http_method from $peer_addr: HTTP REQ=$request" ns_return 403 text/html [ns_adp_parse -file /emis/pages/errors/errorframe.adp 403] return filter_return } else { ns_log notice "$http_method request for $request from $peer_addr" }
This is a good idea. You may wish to change this to return a TRACE specific error message that mentions this exploit. That way the user will be alerted to dubious activity on his machine. Jerry
