Josinaldo
2006-06-26 19:11:02 UTC
Ola amigos!
Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
vulnerabilidade abaixo:
http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK are HTTP methods which are used to debug web server
connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him
their credentials.
Solution :
Disable these methods.
See also :
http://www.kb.cert.org/vuls/id/867593
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
only the methods needed to meet site requirements and policy.
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?
Atenciosamente,
Josinaldo
Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
vulnerabilidade abaixo:
http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK are HTTP methods which are used to debug web server
connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him
their credentials.
Solution :
Disable these methods.
See also :
http://www.kb.cert.org/vuls/id/867593
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
only the methods needed to meet site requirements and policy.
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?
Atenciosamente,
Josinaldo