On Fri, Feb 16, 2007 at 06:32:46AM +0100, Pavel Chalupa wrote:
can anybody explain me how much security problem is, when I have TRACE enabled in Apache?
A victim of your website may have setup your machine as a trusted host. An attacker of that victim tricks him into a request from his machine to your host with the attackers provided content. The TRACE method will output that content to the victims browser which then processes the content with evelated privileges. You should disable TRACE for production webhosts, and only enable them for your developement IP space. Your doing no one a service by leaving them enabled but an attacker. Peter --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org