Sergio Peña created SENTRY-2068:
-----------------------------------
Summary: Disable HTTP TRACE method from the Sentry Web Server
Key: SENTRY-2068
URL: https://issues.apache.org/jira/browse/SENTRY-2068
Project: Sentry
Issue Type: Bug
Components: Sentry
Affects Versions: 1.8.0
Reporter: Sergio Peña
The HTTP TRACE method is normally used to return the full HTTP request back to
the requesting client for proxy-debugging purposes. An attacker can create a
webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE
request and capture the client's cookies. This effectively results in a
Cross-Site Scripting attack.
We should disable the HTTP TRACE method from the Web Server.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
