TRACE and TRACK methods are enabled in httpd instances
Bug #1817053 reported by
Juan Antonio Osorio Robles
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Invalid
|
High
|
Juan Antonio Osorio Robles |
Bug Description
TRACE and TRACK methods are generally used to get debugging information from httpd. These methods can be used to attack other clients using an attack called Cross-Site Tracing (XST) [1].
We should disable these methods from our apache configurations.
information type: | Private Security → Public Security |
To post a comment you must log in.
Seems that TraceEnable was already disabled in a commit, and was backported to queens https:/ /review. openstack. org/#/c/ 615028/