Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jetty > Disable TRACE http method #360

Closed
hamadodene opened this issue Jun 28, 2022 · 0 comments · Fixed by #369
Closed

Jetty > Disable TRACE http method #360

hamadodene opened this issue Jun 28, 2022 · 0 comments · Fixed by #369
Labels
Security
Milestone
v1.8.0

Comments

@hamadodene
Copy link
Contributor

We performed a security check on the admin interface of Carapace and we noticed a vulnerability caused by the presence of the http TRACE method.

It would be advisable to disable it.

Check info:

THREAT:
The remote Web server supports the TRACE and/or TRACK HTTP methods, which makes it easier for remote attackers to steal cookies and
authentication credentials or bypass the HttpOnly protection mechanism.
Track / Trace are required to be disabled to be PCI compliance.

IMPACT:
If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials, or bypass the HttpOnly
protection mechanism.

SOLUTION:
Disable these methods in your web server's configuration file.
@hamadodene hamadodene linked a pull request Aug 8, 2022 that will close this issue
Admin > Don't allow http TRACE method in jetty #369
Merged
@hamadodene hamadodene added this to the v1.8.0 milestone Aug 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging a pull request may close this issue.

Admin > Don't allow http TRACE method in jetty hamadodene/carapaceproxy
1 participant
@hamadodene