tripleo

TRACE and TRACK methods are enabled in httpd instances

Bug #1817053 reported by Juan Antonio Osorio Robles on 2019-02-21

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Invalid	High	Juan Antonio Osorio Robles	tripleo stein-3

Bug Description

TRACE and TRACK methods are generally used to get debugging information from httpd. These methods can be used to attack other clients using an attack called Cross-Site Tracing (XST) [1].

We should disable these methods from our apache configurations.

[1] https://www.owasp.org/index.php/Cross_Site_Tracing

Revision history for this message

Juan Antonio Osorio Robles (juan-osorio-robles) wrote on 2019-02-21:

Seems that TraceEnable was already disabled in a commit, and was backported to queens https://review.openstack.org/#/c/615028/

Revision history for this message

Juan Antonio Osorio Robles (juan-osorio-robles) wrote on 2019-02-21:

This was already disabled and is actually not an issue. We were looking at a previous version (before queens).

Changed in tripleo:
status:	Triaged → Invalid

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-02-21:

I recommend switching invalid private bugs to public, so that folks who come along later with the same concerns can find out why they're mistaken.

Juan Antonio Osorio Robles (juan-osorio-robles) on 2019-02-21

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.