Overview
Urchin 4 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. The default Apache configuration as shipped with Urchin allows use of the Trace HTTP request. Per the following CERT security advisory:
this behavior could be leveraged by attackers to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request.Impact on Urchin Customers
The suggested remediation as described in the CERT advisory involves the use of the Apache mod_rewrite module. Apache's official position on this issue is that it is a browser problem, and not an issue with the Apache webserver itself, and that the suggested workaround does not eliminate the possibility of utilizing the published attack to obtain sensitive information. After careful examination of the fix and the threat, Urchin Software Corporation's position on this issue is that:
- The mod_rewrite module adds an unnecessary complexity to the Apache webserver shipped with Urchin which does not eliminate the security issue described
- The vulnerability as it applies to communications between the Urchin interface and a user's browser does not present a threat to system security
See Also
- Apacheweek news article on the HTTP Trace issue
- ISS X-Force Database: http-trace-information-disclosure (11149)
- Apache Module mod_rewrite URL Rewriting Engine