http TRACE XSS attack

[paolinuz]

Hi all,
I have tested my centos machine with openvas (security assessment free software).
Openvas reported that my web server supports the TRACE and/or TRACK methods.
This method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

The openvas solution is to disabled these method adding the following lines for each virtual host in my configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

I have added this line but the problem persist.....

The secunia website suggest to update the version of httpd from 2.2.52 to 2.2.10 but the centos repository don't have the 2.2.10 version.... but only the 2.2.52.....

Can you help me?

Ps: excuse me for my bad english......

Regards
Paolo

[pschaff]

[quote]
paolinuz wrote:
...
The secunia website suggest to update the version of httpd from 2.2.52 to 2.2.10 but the centos repository don't have the 2.2.10 version.... but only the 2.2.52.....
...[/quote]

Looks like you are saying they are suggesting a downgrade based on the version numbers - generally a bad idea. Can you provide a link to the reference?

[paolinuz]

Hi pschaff,
sorry....I have mistaken....

Really, the secunia website suggest to update the version of httpd from 2.2.x to 2.2.10, but I have the version 2.2.52
I have lost the link to this page and I do not find it.....

Regrads

[paolinuz]

Oops.... excuse me again....
my httpd version of apche is 2.0.52.
Secunia web site suggest to update to version 2.210.
If I lunch yum update, it respond that: No Packages marked for Update/Obsoletion....

Regards