Does this help?

http://www-01.ibm.com/support/docview.wss?uid=swg21158630

-----Original Message-----
From: domino400-bounces@xxxxxxxxxxxx [mailto:domino400-bounces@xxxxxxxxxxxx] On Behalf Of Chris Whisonant
Sent: Monday, July 22, 2013 8:20 AM
To: Lotus Domino on the IBM i (AS/400 and iSeries)
Subject: Re:

I'm doubting you need it enabled...

http://www.cgisecurity.com/questions/httptrace.shtml


---------------------------------------------------

Thanks,
Chris
Personal Blog: http://cwhisonant.gotdns.com Work Blog: http://www.bleedyellow.com/blogs/lotusnut


On Mon, Jul 22, 2013 at 9:16 AM, <rob@xxxxxxxxx> wrote:

Define "needed". What exactly is it?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Chris Whisonant <chris.whisonant@xxxxxxxxx>
To: "Lotus Domino on the IBM i (AS/400 and iSeries)"
<domino400@xxxxxxxxxxxx>,
Date: 07/22/2013 09:15 AM
Subject: Re:
Sent by: domino400-bounces@xxxxxxxxxxxx



If the trace method is not needed for your Quickr/HTTP servers, then
just disable it in your HTTP configuration (server document).


---------------------------------------------------

Thanks,
Chris
Personal Blog: http://cwhisonant.gotdns.com Work Blog:
http://www.bleedyellow.com/blogs/lotusnut


On Mon, Jul 22, 2013 at 9:07 AM, <rob@xxxxxxxxx> wrote:

We use QualysGuard to test our system for exploitations. I believe
it's an IBM owned company. It has this issue with our Domino
(and/or Quickr) served external websites. It this something to be
concerned about? If
so
what actions are recommended?




208.87.182.41 (xqp02.dekko.com, -)

OS/400 on AS/400
Vulnerabilities (4) Expand all vulnerabilities Collapse all
vulnerabilities

3
HTTP TRACE / TRACK Methods Enabled port 80/tcp


QID:
12680
Category:
CGI
CVE ID:
CVE-2004-2320 CVE-2010-0386 CVE-2003-1567 Vendor Reference
-
Bugtraq ID:
-
Service Modified:
06/05/2013
User Modified:
-
Edited:
No
PCI Vuln:
Yes

THREAT:
The remote Web server supports the TRACE and/or TRACK HTTP
methods, which makes it easier for remote attackers to steal cookies
and authentication credentials or bypass the HttpOnly protection mechanism.
IMPACT:
If this vulnerability is successfully exploited, attackers can
potentially steal cookies and authentication credentials, or bypass
the HttpOnly protection mechanism.
SOLUTION:
Disable these methods in your web server's configuration file.
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
TRACE method enabled on / directory



Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

_______________________________________________
This is the Lotus Domino on the IBM i (AS/400 and iSeries)
(Domino400) mailing list To post a message email:
Domino400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/domino400.


_______________________________________________
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400)
mailing list To post a message email: Domino400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/domino400.


_______________________________________________
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400)
mailing list To post a message email: Domino400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/domino400.


_______________________________________________
This is the Lotus Domino on the IBM i (AS/400 and iSeries) (Domino400) mailing list To post a message email: Domino400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/domino400.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.