Monday 3 July 2017

HTTP TRACE / TRACK Methods Enabled (CVE-2004-2320, CVE-2010-0386, CVE-2003-1567)

Treat: "The remote Web server supports the TRACE and/or TRACK HTTP methods, which makes it easier for remote attackers to steal cookies and authentication credentials or bypass the HttpOnly protection mechanism.
 
Track / Trace are required to be disabled to be PCI compliance."

Impact: If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism.

Solution: Disable these methods in your web server's configuration file.

Fix:  echo TraceEnable off >>/etc/httpd/conf/httpd.conf

Restart apache service

No comments:

Post a Comment