On 2 Feb 2010, at 02:59, Roy T. Fielding wrote: > On Jan 28, 2010, at 7:49 AM, Ian Boston wrote: > >> One of our QA people is reporting that Sling servlets support the TRACE >> method, which can be used for XXS attacks. > > No, it can't, or it least it doesn't make any difference whether > TRACE is supported or not because the security leak is allowing > javascript to send cookies and credentials with TRACE. The original > report that TRACE was at fault is ridiculous, and just keeps getting > repeated because "security" reports never die. > > The only reason to disable TRACE is to satisfy MIS managers who don't > actually understand security but want to disable it anyway.
The report was from a QA team running through a battery of known "vulnerabilities" I am sure your right, Should I revert the patch, which, IIUC copies the behaviour in Apache Httpd and allows configuration? btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to Response splitting, it echos headers back to the response stream without making them safe. Ian > > ....Roy >
