Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008760ProcessMaker [Community]Install, upgrade, hotfixpublic2012-03-16 10:182015-09-28 10:54
Reporteramosbatto 
Assigned Toerik 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionno change required 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0008760: Disable TRACE support in Apache to stop cross-site scripting XSS
Descriptionmanchesterfan in the forum notes that ProcessMaker is vulnerable to XSS attacks because TRACE support is enabled by default in Apache. See:
http://forum.processmaker.com/viewtopic.php?f=9&t=7214 [^]

US-CERT Vulnerability Note VU#867593 - Web servers enable HTTP TRACE method by default:
http://www.kb.cert.org/vuls/id/867593 [^]

To fix this, the following line should be added to the pmos.conf file:
  TraceEnable Off 

TagsNo tags attached.
Attached Filesjpg file icon page1.jpg [^] (269,284 bytes) 2012-03-16 11:32
jpg file icon page2.jpg [^] (228,898 bytes) 2012-03-16 11:33

- Relationships

-  Notes
(0018507)
manchesterfan (reporter)
2012-03-16 10:38
edited on: 2012-03-16 12:29

Hi Amos, thanks for doing this.

(0018508)
manchesterfan (reporter)
2012-03-16 12:32

When you get a chance Amos, free to let me know of an ETA for the resolution of this bug. Thanks so very much! : )
(0018526)
fernando (administrator)
2012-03-19 14:48

We are adding this line in the virtual host conf... Pmos.conf
(0018909)
erik (administrator)
2012-04-05 15:27
edited on: 2012-04-10 17:33

***NO_CHANGES_REQUIRED***

The suggest was acepted, now our installer and tar & rpm packages will be with that rule by default on virtualhost configuration file


- Issue History
Date Modified Username Field Change
2012-03-16 10:18 amosbatto New Issue
2012-03-16 10:18 amosbatto Status new => assigned
2012-03-16 10:18 amosbatto Assigned To => erik
2012-03-16 10:19 amosbatto Description Updated View Revisions
2012-03-16 10:38 manchesterfan Note Added: 0018507
2012-03-16 10:49 manchesterfan Note View State: 0018507: private
2012-03-16 11:30 manchesterfan Note View State: 0018507: public
2012-03-16 11:30 manchesterfan Note View State: 0018507: private
2012-03-16 11:31 manchesterfan Note View State: 0018507: public
2012-03-16 11:31 manchesterfan Note View State: 0018507: private
2012-03-16 11:32 manchesterfan File Added: page1.jpg
2012-03-16 11:33 manchesterfan File Added: page2.jpg
2012-03-16 11:33 manchesterfan Note View State: 0018507: public
2012-03-16 11:33 manchesterfan Note View State: 0018507: private
2012-03-16 12:29 manchesterfan Note View State: 0018507: public
2012-03-16 12:29 manchesterfan Note Edited: 0018507 View Revisions
2012-03-16 12:32 manchesterfan Note Added: 0018508
2012-03-19 14:48 fernando Note Added: 0018526
2012-03-19 14:48 fernando Status assigned => confirmed
2012-04-05 15:27 erik Note Added: 0018948
2012-04-05 15:27 erik Status confirmed => resolved
2012-04-05 15:27 erik Resolution open => no change required
2012-04-10 17:33 erik Note Edited: 0018909 View Revisions
2012-12-12 10:26 lizalina Status resolved => closed
2015-09-28 10:54 Ademarh Category 1.C . . . . OS & System Configuration => Install, upgrade, hotfix


Copyright © 2000 - 2010 MantisBT Group
Powered by Mantis Bugtracker