On Wed, Apr 23, 2008 at 11:14 AM, byronbulb <[EMAIL PROTECTED]> wrote:
> > Hi - my IT department is upset about my implementation of trac because > they don't like Error 500 headers getting sent if someone attempts an > XSS attack. > > I've been able to strip out trac's internal error reporting by editing > the templates for errors. What I can't figure out is how to force trac/ > apache to suppress the error 500 header or replace it with something > different (404 perhaps) > > I have edited my apache httpd.conf to return the 404 response text on > a 500, but this doesn't affect the headers sent by trac. Any ideas? > > I'm on 11.b2 fwiw, though I could downgrade/sidegrade/whatever if need > be. > I would suggest setting up mod_security -- http://www.modsecurity.org/ on your apache server. You could configure mod_security to handle XSS attacks in whatever way you'd like before trac even gets the request. It will likely take some tweaking of the rules that apply to trac, since some of the source browsing in trac will likely trigger false positives to mod_security. chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
