Thanks for the specific info on the vulnerability -- your summary seems so much clearer to me.
The code below does log the method attempted -- from there we have an automated script that identifies wierd stuff for analysis. thanks, /s. On Wednesday, January 22, 2003, at 04:53 PM, Jerry Asher wrote:
Scott Goodwin wrote:have the source code. We use AOLserver for EMIS, which is not vulnerable. I've added extra checking to the EMIS request processor 5 minutes ago to log any attempts to use HTTP methods that we don't accept so we can identify attempts to use TRACE. Here's the piece of code I added to do that: if {! [regexp -nocase {get|post|head} $http_method]} { ns_log warning "BAD HTTP METHOD: $http_method from $peer_addr: HTTP REQ=$request" ns_return 403 text/html [ns_adp_parse -file /emis/pages/errors/errorframe.adp 403] return filter_return } else { ns_log notice "$http_method request for $request from $peer_addr" }This is a good idea. You may wish to change this to return a TRACE specific error message that mentions this exploit. That way the user will be alerted to dubious activity on his machine. Jerry
