ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


CVE 2004-2320

'The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.'

ClearCenter response

Short response

While tracing is supported and enabled by default, ClearOS shares the view with the Apache Foundation that this is NOT a vulnerability. (See http://www.apacheweek.com/issues/03-01-24#news)

Additionally, ClearOS does not use BEA WebLogic Server or BEA WebLogic Server Express.

Long response

This CVE may have relevance to BEA WebLogic Server but does not represent an particular vulnerability to ClearOS. The Apache Foundation has addressed this issue and does not see this as a particular security vulnerability. (See http://www.apacheweek.com/issues/03-01-24#news)

Trace is a function and a utility of Apache to troubleshoot webpages. It can be used to discover why pages are not working and potentially could be used to fix issues. As explained in the news from the Apache Foundation, the same information exposed in the attack for which this CVE is crafted can be garnered in other more typical ways. Thus, the CVE is a pretty weak representation of a real problem.

Resolution

Tracing can be a valuable tool for discovering issues with a malformed webpage. If you don't use this tool and just as soon disable the functionality you can turn it off in ClearOS. If you want to disable tracing, enter this line near the top of your /etc/httpd/conf/httpd.conf file:

TraceEnable off

Afterwards, restart the Apache service:

service httpd restart
content/en_us/announcements_cve_cve-2004-2320.txt · Last modified: 2014/12/22 10:07 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Aannouncements_cve_cve-2004-2320&1563573196