Details
-
Improvement
-
Resolution: Unresolved
-
Medium
-
None
-
2.5.29, 3.3.19, 4.0.6, 4.1.3
-
None
-
Varnish, Fastly
Description
To avoid Cross Site Tracing (XST) we should probably disable TRACE/TRACK by default. This affects Apache, Nginx, and possibly Varnish.
See https://owasp.org/www-community/attacks/Cross_Site_Tracing
and https://deadliestwebattacks.com/appsec/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability.html
I have reduced the priority because 1) the issue is 19 years old, and 2) modern browsers block this method, for a long time now.
Remediations:
- Apache: Rewrite to 405 Method Not Allowed for both trace and track, since PHP implements it.
TraceEnable off - should be done in httpd.conf, not vhost. Add note in doc. Not needed given rewrite fix, but could silence some alarms. - Nginx: Defaults to HTTP 405. Rewrite to 405 Method Not Allowed for both trace and track, since PHP implements it.
- Varnish: It seems what lionel.akpagni@ibexa.co proposes in the CS issue would have to be done in at least two repos. If we treat this as security and deliver it to v2.5+, then
https://github.com/ezsystems/ezplatform-http-cache/blob/1.0/docs/varnish/vcl/varnish5.vcl#L34 and
https://github.com/ezsystems/ezplatform/blob/2.5/.platform/varnish.vcl#L48