Cross site tracking attack in Apache - Webdigity webmaster forums

21, March 2010	Cross site tracking attack in Apache - webmaster forum

Navigation Webdigity Services Pagerank Monitor Whois Tool Web Design Gallery Webmaster Forums Webmaster Directory Tutorials Database Webmaster Forums WebDigity Community Topsites network news ... Forum Contests Forum Lounge New Member Introductions Tech News User Forums aStatSpam forum Computers 3rd-Party Scripting Leet Link Directory The 100 Lists Website ... Design and Layout Newbie webmaster Graphics & Multimedia Adobe Photoshop Macromedia Flash & Act... Web Page Design HTML & XHTML CSS Accesibility issues Website & Graphic Revi... Web Development PhP ASP & .NET Java & JSP Official Java News JavaScript XML - XSLT Databases MySQL Security Web hosting talk Hosting companies Domain names Configuring your server Apache web server Marketing your site CPC programs Chitika eMiniMalls CPM programs Affiliate programs & o... Web site promotion Promotion techniques Search Engine Optimiza... Google SEO Promoting & building a... Marketplace Advertise your services Sell your site Sell a domain name Request services Hire people Link trading requests [ Home \| Help \| Search \| Forum's Shop \| Archive \| Login \| Register \| Webmaster Directory ]

Webdigity Webmaster Forums > Web Development > Security
Topic: Cross site tracking attack in Apache

« previous next »

Pages: [1]

Author

Topic: Cross site tracking attack in Apache (Read 1987 times)

I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master

Gender:

Posts: 5660
45593 credits
Members referred : 3

« on: Mar 17, 2006, 01:20:00 pm »

This vulnerability is actually a problem that IIS also has, but the solution I will provide is for Apache only.

The problem is that a user can use the HTTP TRACK / TRACE method to get session information including cookies!

To prevent the attackers use this in your httpd.conf or .htaccess :

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Trial and Error my two best teachers Cool

Join us @ facebook or twitter

Last blog : Butterfly Marketing 2.0

OMG!I am geek

Gender:

Posts: 56
374 credits
Members referred : 0

« Reply #1 on: Mar 17, 2006, 01:54:29 pm »

Sounds like a serious vulnerability.

Thanks for sharing. I will add it to my .htaccess file.

Just another rainy day

Posts: 1
6 credits
Members referred : 0

« Reply #2 on: May 03, 2007, 03:00:41 pm »

I am using Apache 2.0.55 version in Solaris 8 platform. But due to "RewriteEngine On" in apache module , there was a Apache - Mod_Rewrite - Off-By-One Buffer Overflow Issue. So i upgraded to Apache 2.0.59. Now i also need to disable Http Trace method in the apache version. But if i change Rewrite Off to Rewrite On in apache httpd.config file to disable Http Trace, it will again introduce Apache - Mod_Rewrite - Off-By-One Buffer Overflow Issue. Thus can you provide any other alternative solution for Http Trace issue.

I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master

Gender:

Posts: 5660
45593 credits
Members referred : 3

« Reply #3 on: May 03, 2007, 03:50:42 pm »

I am afraid this can't be done without modifying the source code of Apache....

So I guess you will have to leave one of these vulnerabilities open. Or maybe check how this overflow is running in Solaris. To use the HTTP_TRACE mod_rewrite rule, you need to apply it in your httpd.conf file. Maybe the mod_rewrite overflow problem is happening for certain rules, or in general happens under some circumstances.

Trial and Error my two best teachers Cool

Join us @ facebook or twitter

Last blog : Butterfly Marketing 2.0

Trackback URI for this entry : http://www.webdigity.com/trackback.php?topic=1846

Bookmark this thread : Digg Del.icio.us Dzone more....

Pages: [1]

Webdigity Webmaster Forums > Web Development > Security
Topic: Cross site tracking attack in Apache

« previous next »

Jump to:

User Area
Welcome, Guest. Please login or register. Did you miss your activation email? Mar 21, 2010, 06:53:34 pm Login with username, password and session length

Donate to our community, and get a permanent link back to your site!

Forum Statistics
Total Posts: 44.237 Total Topics: 8.625 Total Members: 8.245 Tutorials : 58 Resources : 929 Designs : 361 Latest Member: clickonportal 33 Guests, 4 Users online : Yahoo crawler, Msnbot, adsense, Baidu Spider 10 users online today: clickonportal, ramosraymond54, WhyWebDesign, Nikolas, nishakhan, ericmartin225, jacks smith, crystalbox, C0ldf1re, goclarkanderson

Recent topics
Ultimate Do Follow List Mov... Re: Hello Everyone My Name... Re: Mabuhay! Hello everyone... printf("Hello, World!\... Re: List of my bookmarking ... Re: 6 SEO Advice For New Bl... Re: Best way to increase in... Re: Advices on how to launc...

HumanWorks Network
Technology news Webmaster articles Sublime web directory RSS Feed directory and viewer

Readers

Web Design Gallery · Whois Lookup · Pagerank · Tag Browsing · Lo-fi version · Syndication · Webmaster forum history · Advertise
Developed by HumanWorks © 2005 - 2010 Webdigity webmaster community · sublime directory
Webdigity Webmaster Forums | Powered by SMF 1.0.12. © 2001-2005, Lewis Media. All Rights Reserved.

Cross site tracking attack in Apache - webmaster forum