You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Milan Andric <ma...@eecs.berkeley.edu> on 2004/03/18 18:44:24 UTC

Re: [users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29

On Thu, Mar 18, 2004 at 09:49:31AM -0500, Joshua Slive wrote:
> 
> On Thu, 18 Mar 2004, Thiago Anderson wrote:
> > i edit my httpd.conf and include the lines:
> >
> >     RewriteEngine on
> >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> >     RewriteRule .* - [F]
> >
> > and
> > in virtual hosts i add this line too...
> >
> > but i scan the server with nessus i see the message again...
> 
> 1. TRACE is not a real vulnerability.  See the archives of this list or
> http://www.apacheweek.com/issues/03-01-24#news
> for example.  So I wouldn't waster your time with this.
> 
> 2. Don't trust your scanner.  Try a manual TRACE request using telnet and
> see if it suceeds.
> 
> Joshua.

Also, in case you do find TRACE a problem, I don't think rewrite is necessary.
The Limit directive might work too? Like what apache2 includes in default
config for homedirs:

    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>

-- 
Milan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 18 Mar 2004, Milan Andric wrote:
> Also, in case you do find TRACE a problem, I don't think rewrite is necessary.
> The Limit directive might work too? Like what apache2 includes in default
> config for homedirs:

Unfortunately, TRACE cannot be restricted with <Limit> because of some
details of the HTTP protocol.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org