[ jetty-Bugs-736553 ] HTTP TRACE method

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ jetty-Bugs-736553 ] HTTP TRACE method

SourceForge.net
Bugs item #736553, was opened at 2003-05-13 01:56
Message generated for change (Comment added) made by slupton
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=107322&aid=736553&group_id=7322

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: HTTP protocol
Group: Jetty2
Status: Closed
Resolution: Fixed
Priority: 5
Private: No
Submitted By: Chandra Patel (chandrapnc)
Assigned to: Nobody/Anonymous (nobody)
Summary: HTTP TRACE method

Initial Comment:
 Jetty server has the http trace method enabled.
Cross Site Scripting Vulnerability applies to Jetty.
Is there a way to turn off the TRACE method?

----------------------------------------------------------------------

Comment By: slupton (slupton)
Date: 2007-06-06 17:49

Message:
Logged In: YES
user_id=1761779
Originator: NO

I did some testing with an application using Jetty 6 embedded and it
appears as if the TRACE command is being accepted by default in this case.
Is this by design?  Is there an API that can be used to disable it?

----------------------------------------------------------------------

Comment By: Greg Wilkins (gregwilkins)
Date: 2003-07-14 09:32

Message:
Logged In: YES
user_id=44062

TRACE is now optional and off by default.


----------------------------------------------------------------------

Comment By: Greg Wilkins (gregwilkins)
Date: 2003-05-20 18:21

Message:
Logged In: YES
user_id=44062


I don't understand....  what is it about TRACE that makes it
vulnerable to cross site scripting?   Can I change the
implementation to remove the vulnerability?

Eitherway, I am working on a patch to make TRACE support
optional.



----------------------------------------------------------------------

Comment By: Chandra Patel (chandrapnc)
Date: 2003-05-20 06:06

Message:
Logged In: YES
user_id=777037

Thanks for your response...
Here is how you test
telnet 9.99.222.222  8080
Trying...
Connected to 9.99.222.222.
Escape character is '^]'.
TRACE /HTTP
TRACE /HTTP HTTP/0.9

Connection closed.
Your solution did not fixed the problem...

----------------------------------------------------------------------

Comment By: Greg Wilkins (gregwilkins)
Date: 2003-05-18 06:58

Message:
Logged In: YES
user_id=44062

It is possible to add a security constraint to forbid all
TRACE methods.  You can do this with:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>NoTrace</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>TRACE</http-method>
    </web-resource-collection>  
    <auth-constraint>
    </auth-constraint>
  </security-constraint>

This can be added to webdefault.xml for all webapps.

Is this sufficient?   Also do you have any references for
how TRACE can be used for cross site scripting?


----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=107322&aid=736553&group_id=7322

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss