Cross site tracking attack in Apache - Webdigity webmaster forums

6, July 2008	Cross site tracking attack in Apache - webmaster forum
	This forum shares its ad revenue with its members!
Navigation Webdigity Services Pagerank Monitor Whois Tool Web Design Gallery Webmaster Forums Webmaster Directory Tutorials Database Webmaster Forums WebDigity Community HumanWorks network new... Clickbank Contextual S... Forum Contests Forum Lounge New Member Introductions Tech News Google Forum User Forums aStatSpam forum Computers 3rd-Party Scripting The 100 Lists Website ... PixelThings Smart Publisher Forums Talk Design and Layout General webmaster disc... Graphics & Multimedia Adobe Photoshop Macromedia Flash & Act... Web Page Design HTML & XHTML CSS Accesibility issues Website & Graphic Revi... Web Development PhP PHP classes @finalwebs... Php User Class JavaScript Databases MySQL Security Miscellaneous Languages ASP & .NET Java & JSP Web hosting talk Hosting companies Domain names Configuring your server Apache web server Monetizing your site General Business CPC programs Adsense Chitika eMiniMalls CPM programs Affiliate programs & o... Web site promotion Promotion techniques Search Engine Optimiza... Google SEO Promoting & building a... SMF moding & promoting Marketplace Advertise your services Sell your site Sell a domain name Request services Hire people Link trading requests [ Home \| Help \| Search \| Forum's Shop \| Archive \| Login \| Register \| Webmaster Directory ]

Webdigity Webmaster Forums > Web Development > Security
Topic: Cross site tracking attack in Apache

« previous next »

Pages: [1]

Author

Topic: Cross site tracking attack in Apache (Read 1364 times)

I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master

Gender:

Posts: 7931
40535 credits
Members referred : 3

« on: Mar 17, 2006, 01:20:00 PM »

This vulnerability is actually a problem that IIS also has, but the solution I will provide is for Apache only.

The problem is that a user can use the HTTP TRACK / TRACE method to get session information including cookies!

To prevent the attackers use this in your httpd.conf or .htaccess :

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Trial and Error my two best teachers Cool

Promote your blog for free....

Last blog : Keep it Legal - Tims guide to legal notices

OMG!I am geek

Gender:

Posts: 56
374 credits
Members referred : 0

« Reply #1 on: Mar 17, 2006, 01:54:29 PM »

Sounds like a serious vulnerability.

Thanks for sharing. I will add it to my .htaccess file.

Just another rainy day

Posts: 1
6 credits
Members referred : 0

« Reply #2 on: May 03, 2007, 03:00:41 PM »

I am using Apache 2.0.55 version in Solaris 8 platform. But due to "RewriteEngine On" in apache module , there was a Apache - Mod_Rewrite - Off-By-One Buffer Overflow Issue. So i upgraded to Apache 2.0.59. Now i also need to disable Http Trace method in the apache version. But if i change Rewrite Off to Rewrite On in apache httpd.config file to disable Http Trace, it will again introduce Apache - Mod_Rewrite - Off-By-One Buffer Overflow Issue. Thus can you provide any other alternative solution for Http Trace issue.

I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master

Gender:

Posts: 7931
40535 credits
Members referred : 3

« Reply #3 on: May 03, 2007, 03:50:42 PM »

I am afraid this can't be done without modifying the source code of Apache....

So I guess you will have to leave one of these vulnerabilities open. Or maybe check how this overflow is running in Solaris. To use the HTTP_TRACE mod_rewrite rule, you need to apply it in your httpd.conf file. Maybe the mod_rewrite overflow problem is happening for certain rules, or in general happens under some circumstances.

Trial and Error my two best teachers Cool

Promote your blog for free....

Last blog : Keep it Legal - Tims guide to legal notices

Trackback URI for this entry : http://www.webdigity.com/trackback.php?topic=1846

Bookmark this thread : Digg Del.icio.us Dzone more....

Topic sponsors:
Get a permanent link here for $1.99!

Pages: [1]

Webdigity Webmaster Forums > Web Development > Security
Topic: Cross site tracking attack in Apache

« previous next »

Jump to:

User Area
Welcome, Guest. Please login or register. Did you miss your activation email? Jul 06, 2008, 04:11:26 AM Login with username, password and session length

Donate to our community, and get a permanent link back to your site!

Forum Statistics
Total Posts: 35.533 Total Topics: 7.344 Total Members: 3.647 Tutorials : 56 Resources : 143 Designs : 220 Latest Member: pawan 17 Guests, 4 Users online : Yahoo crawler, Googlebot, Baidu Spider, vbignacio 11 users online today: vbignacio, Nikolas, Wildcat, FilipeDobreira, salestrainer, artcoder, EDINSON, Paradroid, pawan, jfj3rd, smurf

Recent topics
Are you using Squidoo lense... Re: A friend asked me about... FF3 is often crashing on me... Join the messageSlinger bet... how I can write the nicknam... Re: Recommendations for bui... Re: Web Design Software --... access.class - did I do thi...

HumanWorks Network
Technology news Webmaster articles Sublime web directory RSS Feed directory and viewer

Readers

Web Design Gallery · Whois Lookup · Pagerank · Tag Browsing · Lo-fi version · Syndication · Webmaster forum history · Advertise
Developed by HumanWorks © 2005 - 2008 Webdigity webmaster community · sublime directory
Webdigity Webmaster Forums | Powered by SMF 1.0.12. © 2001-2005, Lewis Media. All Rights Reserved.

Cross site tracking attack in Apache - webmaster forum