nv-l
[Top] [All Lists]

[nv-l] Cross-Site-Tracing Vulnerability on Jetty Server

To: <nv-l@lists.us.ibm.com>
Subject: [nv-l] Cross-Site-Tracing Vulnerability on Jetty Server
From: 공기열 <bart@isiskorea.com>
Date: Tue, 3 Aug 2004 17:25:40 +0900
Cc:
Delivery-date: Tue, 03 Aug 2004 09:36:09 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
G-uid: R0#040803172540#nv-l@lists.us.ibm.com#0
Importance: normal
Reply-to: nv-l@lists.us.ibm.com
Sender: owner-nv-l@lists.us.ibm.com
Thread-index: AcR5M3Xd0pQfHhtjQe+jyZQq5+wSeg==
Thread-topic: Cross-Site-Tracing Vulnerability on Jetty Server

Sorry,my messages are cracked  so mail again

 

Hi there,

 

I'm using NetView 7.1.3 on AIX 5.1

 

I have been checked security on NetView Box and I have the vulnerability on Jetty Web Server.

 

How Can I setting jetty to avaid this?

 

Thanks in advance

 

This is the messages.

========================================================================================

Cross-Site-Tracing Vulnerability on Web Servers

CVE#:  N/A

Summary:  Web servers that enable TRACE or TRACK methods may allow CST/XST (Cross-site Tracing), which allows attackers to trick visiting web clients into executing malicious code.

Details:   Cross-site Tracing is a new variety of Cross-site scripting that uses the TRACE command of the HTTP/1.1 protocol. TRACE is basically a GET request that echoes the request back to the client running the command. It is possible to script some browsers to send the TRACE requests and return echoed headers to the script. The headers can carry cookies or authorization strings to the server, and can potentially be retrieved by attackers.

 

Cross Site Scripting Explanation:
A Hacker constructs malicious code that includes scripts enclosed in unparsed tags that will execute on the web client of visitors. By accepting tags in user input, server may allow scripts embedded in the input to run in the authorization context of the server on the client. The server does not execute the script; it accepts the script from a hacker and serves the script to a visiting client. Then the client's browser executes the script embedded in the HTML from the server.

Embedded scripts may also change the action of form tags, changing what programs the form runs and where it sends information. The malicious request may be typed in directly or left in innocent seeming links that anyone may follow, hiding the source of the request from logging.

Fix: This vulnerability is theoretical, but apparently vulnerable on most servers. Contact vendor for more information on the vulnerability and how to disable the TRACE and TRACK methods. See references for thorough details.

Apache users can add the following lines to each virtual host in the config file:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


 

<Prev in Thread] Current Thread [Next in Thread>
  • [nv-l] Cross-Site-Tracing Vulnerability on Jetty Server, 공기열 <=

Archive operated by Skills 1st Ltd

See also: The NetView Web