[SENTRY-2068] Disable HTTP TRACE method from the Sentry Web Server - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.0
Fix Version/s: 2.0.0
Component/s: Sentry
Labels:
None

Description

The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack.

We should disable the HTTP TRACE method from the Web Server.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-2068.2.patch
22/Nov/17 15:19
7 kB
Sergio Peña
SENTRY-2068.1.patch
21/Nov/17 20:44
3 kB
Sergio Peña

Issue Links

links to

Review Board

Activity

People

Assignee:: Sergio Peña

Reporter:: Sergio Peña

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/Nov/17 20:43

Updated:: 22/Nov/17 21:19

Resolved:: 22/Nov/17 21:19