http报头协议追踪漏洞
?
检测方式:
c:\>nc www.baidu.com 80 < 1.txt
HTTP/1.1 200 ok
Date: Mon,22 Aug 2011 06:37:25 GMT
Server: Apache/2.2.3 <Red Hat>
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http
?
88
TRACE / HTTP/1.1
Host: www.baidu.com
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 <compatible; MSIE 6.0; w
?
?
0
其他方法:
<script>alert(12345)%3C/script%3E
?%3Cscript%3Ealert(12345)%3C/script%3E
?
1.txt 内容
?
TRACE / HTTP/1.1Host: www.baidu.comAccept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 <compatible; MSIE 6.0; w0?
?
解决方式:
在apache的conf文件中添加:
?
RewriteEngine onRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)RewriteRule .* - [F]?
?如有虚拟站点,每个虚拟都要添加。
相关模块:?LoadModule rewrite_module modules/mod_rewrite.so
?