[jira] [Assigned] (SENTRY-2068) Disable HTTP TRACE method from the Sentry Web Server

JIRA Tue, 21 Nov 2017 12:45:15 -0800

     [ 
https://issues.apache.org/jira/browse/SENTRY-2068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sergio Peña reassigned SENTRY-2068:
-----------------------------------

    Assignee: Sergio Peña

> Disable HTTP TRACE method from the Sentry Web Server
> ----------------------------------------------------
>
>                 Key: SENTRY-2068
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2068
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.8.0
>            Reporter: Sergio Peña
>            Assignee: Sergio Peña
>         Attachments: SENTRY-2068.1.patch
>
>
> The HTTP TRACE method is normally used to return the full HTTP request back 
> to the requesting client for proxy-debugging purposes. An attacker can create 
> a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a 
> TRACE request and capture the client's cookies. This effectively results in a 
> Cross-Site Scripting attack.
> We should disable the HTTP TRACE method from the Web Server.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Assigned] (SENTRY-2068) Disable HTTP TRACE method from the Sentry Web Server

Reply via email to