|
If the trace method is not needed for your Quickr/HTTP servers, then justit's
disable it in your HTTP configuration (server document).
---------------------------------------------------
Thanks,
Chris
Personal Blog: http://cwhisonant.gotdns.com
Work Blog: http://www.bleedyellow.com/blogs/lotusnut
On Mon, Jul 22, 2013 at 9:07 AM, <rob@xxxxxxxxx> wrote:
We use QualysGuard to test our system for exploitations. I believe
Quickr)an IBM owned company. It has this issue with our Domino (and/or
soserved external websites. It this something to be concerned about? If
mailing listwhat actions are recommended?_______________________________________________
208.87.182.41 (xqp02.dekko.com, -)
OS/400 on AS/400
Vulnerabilities (4) Expand all vulnerabilities Collapse all
vulnerabilities
3
HTTP TRACE / TRACK Methods Enabled port 80/tcp
QID:
12680
Category:
CGI
CVE ID:
CVE-2004-2320 CVE-2010-0386 CVE-2003-1567
Vendor Reference
-
Bugtraq ID:
-
Service Modified:
06/05/2013
User Modified:
-
Edited:
No
PCI Vuln:
Yes
THREAT:
The remote Web server supports the TRACE and/or TRACK HTTP methods,
which makes it easier for remote attackers to steal cookies and
authentication credentials or bypass the HttpOnly protection mechanism.
IMPACT:
If this vulnerability is successfully exploited, attackers can
potentially steal cookies and authentication credentials, or bypass the
HttpOnly protection mechanism.
SOLUTION:
Disable these methods in your web server's configuration file.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
TRACE method enabled on / directory
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
_______________________________________________
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400)
mailing list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400)
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.