You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Thiago Anderson <s3...@hotmail.com> on 2004/03/18 14:02:30 UTC

[users@httpd] HTTP TRACE with Apache 1.3.29

Hello there,

Some one here help me about HTTP TRACE and HTTP TRACKS with apache 1.3.29.
I Run the nessus scan to find the vulnerabilities, and i see this message:

##########################################################
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

Solution: Disable these methods.


If you are using Apache, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
    <Client method="TRACE">
     AuthTrans fn="set-variable"
     remove-headers="transfer-encoding"
     set-headers="content-length: -1"
     error="501"
    </Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603


See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
    http://www.kb.cert.org/vuls/id/867593

Risk factor : Medium
############################################################

i edit my httpd.conf and include the lines:

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

and
in virtual hosts i add this line too...

but i scan the server with nessus i see the message again...


can i help-me
???

_________________________________________________________________
MSN Messenger: instale grátis e converse com seus amigos. 
http://messenger.msn.com.br


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 18 Mar 2004, Milan Andric wrote:
> Also, in case you do find TRACE a problem, I don't think rewrite is necessary.
> The Limit directive might work too? Like what apache2 includes in default
> config for homedirs:

Unfortunately, TRACE cannot be restricted with <Limit> because of some
details of the HTTP protocol.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29

Posted by Milan Andric <ma...@eecs.berkeley.edu>.

On Thu, Mar 18, 2004 at 09:49:31AM -0500, Joshua Slive wrote:
> 
> On Thu, 18 Mar 2004, Thiago Anderson wrote:
> > i edit my httpd.conf and include the lines:
> >
> >     RewriteEngine on
> >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> >     RewriteRule .* - [F]
> >
> > and
> > in virtual hosts i add this line too...
> >
> > but i scan the server with nessus i see the message again...
> 
> 1. TRACE is not a real vulnerability.  See the archives of this list or
> http://www.apacheweek.com/issues/03-01-24#news
> for example.  So I wouldn't waster your time with this.
> 
> 2. Don't trust your scanner.  Try a manual TRACE request using telnet and
> see if it suceeds.
> 
> Joshua.

Also, in case you do find TRACE a problem, I don't think rewrite is necessary.
The Limit directive might work too? Like what apache2 includes in default
config for homedirs:

    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>

-- 
Milan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 18 Mar 2004, Thiago Anderson wrote:
> i edit my httpd.conf and include the lines:
>
>     RewriteEngine on
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
>
> and
> in virtual hosts i add this line too...
>
> but i scan the server with nessus i see the message again...

1. TRACE is not a real vulnerability.  See the archives of this list or
http://www.apacheweek.com/issues/03-01-24#news
for example.  So I wouldn't waster your time with this.

2. Don't trust your scanner.  Try a manual TRACE request using telnet and
see if it suceeds.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org