Hi,

The TRACE method is not actually handled by Sling or any of the default
servlets. By default it gets through to the SimplerWebDavServlet which
we have installed to do "WebDAV on root".

If TRACE is really a problem, I think it is probably a good idea adding
a configuration switch to the SlingMainServlet, which just blocks TRACE
(by default, as proposed).

Regards
Felix

On 28.01.2010 16:49, Ian Boston wrote:
> Hi,
> 
> One of our QA people is reporting that Sling servlets support the TRACE 
> method, which can be used for XXS attacks. 
> I had thought that this was a Jetty misconfiguration issues, but I notice 
> that SlingSafeMethodsServlet explicitly supports doTrace.
> 
> Not knowing anything about this sort of attack... is TRACE a issue ? Should 
> it be removed from the SlingSafeMethodsServlet or simply blocked in the Main 
> Slign servlet ?
> 
> I can probably customise the Jetty config to prevent it locally, but thought 
> it might be an issue for Sling.
> 
> Ian
> 
> 

Reply via email to