I think a registered filter put in before any other filter would be
better, unless you have a specific error page you want to show that's
in OpenACS. My code is returning our error page; I wouldn't want to
rely on a more complex module to perform this function for me. A bug in
your rewrite code could make you vulnerable again.
/s.
On Wednesday, January 22, 2003, at 05:19 PM, Roberto Mello wrote:
On Wed, Jan 22, 2003 at 02:47:58PM -0800, Jerry Asher wrote:
<snip>
It goes away entirely if the server doesn't implement TRACE. It will
not cause cross site leakage unless your browser already has a cross
site leakage bug in it. IE currently does. Other browsers may or may
not have bugs. When will you be secure that your browser has none of
these bugs?
Ugh.
<snip>
The news article claims that Apache needs a patch and can't just be
configured to not implement TRACE. Does anyone know if that is so?
Think I found a way to work around the problem using Apache's
mod_rewrite
(something that may be good to add to OpenACS' request processor). By
adding the lines below (with mod_rewrite being loaded) to the
VirtualHost
section, the server should send a Forbidden response.
Weirdly, I get a Bad request (the same request works fine if I take the
rewrite rules off), but at least the TRACE isn't completed.
# RBM: 2002-01-22. Kill TRACE exploits.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
-Roberto
--
+----| Roberto Mello - http://www.brasileiro.net/ |------+
+ Computer Science Graduate Student, Utah State University +
+ USU Free Software & GNU/Linux Club - http://fslc.usu.edu/ +
What you end up with, after running an operating system concept through
these many marketing coffee filters, is something not unlike plain hot
water.
-- Matt Welsh
