TRACE and TRACK methods are enabled in httpd instances

Bug #1817053 reported by Juan Antonio Osorio Robles on 2019-02-21
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Juan Antonio Osorio Robles

Bug Description

TRACE and TRACK methods are generally used to get debugging information from httpd. These methods can be used to attack other clients using an attack called Cross-Site Tracing (XST) [1].

We should disable these methods from our apache configurations.

[1] https://www.owasp.org/index.php/Cross_Site_Tracing

Seems that TraceEnable was already disabled in a commit, and was backported to queens https://review.openstack.org/#/c/615028/

This was already disabled and is actually not an issue. We were looking at a previous version (before queens).

Changed in tripleo:
status: Triaged → Invalid
Jeremy Stanley (fungi) wrote :

I recommend switching invalid private bugs to public, so that folks who come along later with the same concerns can find out why they're mistaken.

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers