Hi,

On 02.02.2010 09:47, Ian Boston wrote:
> 
> On 2 Feb 2010, at 02:59, Roy T. Fielding wrote:
> 
>> On Jan 28, 2010, at 7:49 AM, Ian Boston wrote:
>>
>>> One of our QA people is reporting that Sling servlets support the TRACE 
>>> method, which can be used for XXS attacks. 
>>
>> No, it can't, or it least it doesn't make any difference whether
>> TRACE is supported or not because the security leak is allowing
>> javascript to send cookies and credentials with TRACE.  The original
>> report that TRACE was at fault is ridiculous, and just keeps getting
>> repeated because "security" reports never die.
>>
>> The only reason to disable TRACE is to satisfy MIS managers who don't
>> actually understand security but want to disable it anyway.
> 
> The report was from a QA team running through a battery of known 
> "vulnerabilities"
> 
> I am sure your right, Should I revert the patch, which, IIUC copies the 
> behaviour in Apache Httpd and allows configuration?

I would keep it (as Roy said "to satisfy MIS managers who don't ...")

> 
> btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to 
> Response splitting, it echos headers back to the response stream without 
> making them safe.

Agreed with Bertrand, lets create an issue and fix this in the
SlingSafeMethodsServlet.doTrace method (probably just omitting any known
security relevant headers like Set-Cookie and Authorization).

Regards
Felix

Reply via email to