On Wed, 2003-01-22 at 18:28, Doug Monroe wrote:
> Jeremiah Grossman wrote:
> >
> > WhiteHat Security has released a new white paper discussing a new class
> > of web-app-sec attack (XST) which potentially affects all web servers
> > supporting TRACE.
>
> thanks for the interesting findings.
> Respectfully- the apache solution proposed by RFP in the "Server Specific
> Recommendation" might alternatively be crafted as:
> RewriteEngine on
> RewriteCond %{REQUEST_METHOD} !^(GET|POST)$
> RewriteRule .* - [F]
>

Cool, that should lock down strange HTTP request methods nicely. We
tried something similar on ISS/Exchange and it turned off some
functionality.

Careful using this type of method if your using Application Servers
which depend on request method other than GET or POST.

[ reply ]