Description of problem: The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request. Version-Release number of selected component (if applicable): 2.0.52 How reproducible: Always Steps to Reproduce: 1. See http://www.kb.cert.org/vuls/id/867593 for details 2. 3. Actual results: Trace is allowed Expected results: TraceEnable as a valid option in the config to disable. Additional info: See http://www.kb.cert.org/vuls/id/867593 for all the details.
Note that we do not consider this issue to be a security flaw, see the NVD statement at the following link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2320 and see this article for more information: http://www.apacheweek.com/issues/03-01-24#news
Right. I did not mean to make it seem as though this was a security issue, though I did paste the body of the cert announcement. I would like to see this enabled though, because a number of 'security' scanners which show this as a finding. It would be much better in my opinion to simply be able to use 'TraceEnable Off', as opposed to a modrewrite rule.
OK, thanks for the feedback.
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
What exactly do the duplicate comments here signify? Does this mean it's been pushed back 2 minor releases, or is update 8 on the way, and this won't be in it?
Sorry about the confusion. This isn't currently scheduled to be fixed in 4.8, but has been proposed for inclusion in 4.9. (Can't guarantee it will be in 4.9 at this stage)
Please be so kind and add a few key words to the technical note of this bugzilla entry using the following structure: Cause: Consequence: Fix: Result: Thanks
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause Consequence: Fix: Result:
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0237.html