You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ben Ricker <br...@wellinx.com> on 2003/01/24 21:46:02 UTC

[users@httpd] The "Limit" Directive and TRACE

I am trying to fortify a web server running Apache 1.3.27 against 
cross-site scripting (see 
http://www.extremetech.com/article2/0,3973,841047,00.asp for more 
information).

The problem is that I am trying to disallow the use of TRACE using the 
LIMIT directive. Here is a 'Limit' directives snippet from the Apache 
docs (http://httpd.apache.org/docs/mod/core.html#limit).

When I put the following in the httpd.conf:

<Limit TRACE>
Deny from All
</Limit>

I get the following error:

../bin/apachectl configtest
Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
TRACE cannot be controlled by <Limit>

Am I missing something here?

Ben Ricker
Wellinx.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Sander Holthaus - Orange XL <in...@orangexl.com>.

I use this on all my vhosts

    <LimitExcept GET HEAD POST>
    Order deny,allow
    Deny from all
    </LimitExcept>

Don't know if it'll help you out.

----- Original Message -----
From: "Ben Ricker" <br...@wellinx.com>
To: <us...@httpd.apache.org>
Sent: Friday, January 24, 2003 9:46 PM
Subject: [users@httpd] The "Limit" Directive and TRACE


> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive. Here is a 'Limit' directives snippet from the Apache
> docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Richard Pyne <rp...@kinfolk.org>.

Before you spend too much time on it, read:

http://online.securityfocus.com/archive/1/307778

--Richard

On Friday 24 January 2003 01:46 pm, Ben Ricker wrote:
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using
> the LIMIT directive. Here is a 'Limit' directives snippet from the
> Apache docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> -------------------------------------------------------------------
>-- The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " 
>  from the digest: users-digest-unsubscribe@httpd.apache.org For
> additional commands, e-mail: users-help@httpd.apache.org

-- 
Richard B. Pyne
rpyne@kinfolk.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Joshua Slive <jo...@slive.ca>.

On Fri, 24 Jan 2003, Ben Ricker wrote:
> > I suspect (though I haven't tested) you could also use
> > SetEnvIf Request_Method TRACE trace_request
> > Order allow,deny
> > allow from all
> > deny from env=trace_request
>
> Hmmm....Apache does not like the Order directive scoped under SetEnvIf.
> It does not work in 1.3.27. I looked over the docs but could not find
> anything that shows an example if using the Order directives under SetEnvIf.

It isn't the SetEnvIf that is the problem.  It is the context of Order.
It can't be placed in the main server context, it must be inside a
container, as in

SetEnvIf ....
<Location />
Order allow,deny
allow from all
deny from env="trace_request
</Location>

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Ben Ricker <br...@wellinx.com>.

Joshua Slive wrote:
> On Fri, 24 Jan 2003, Ben Ricker wrote:
> 
> 
>>I am trying to fortify a web server running Apache 1.3.27 against
>>cross-site scripting (see
>>http://www.extremetech.com/article2/0,3973,841047,00.asp for more
>>information).
>>
>>The problem is that I am trying to disallow the use of TRACE using the
>>LIMIT directive.
> 
> 
> See:
> http://www.apacheweek.com/issues/03-01-24#news

That was a helpful article and it makes sense that the vulnerability is 
not SO huge as Whitehatsec makes it out to be, in the sense that it is 
not necessarily Apache's issue.

> I suspect (though I haven't tested) you could also use
> SetEnvIf Request_Method TRACE trace_request
> Order allow,deny
> allow from all
> deny from env=trace_request

Hmmm....Apache does not like the Order directive scoped under SetEnvIf. 
It does not work in 1.3.27. I looked over the docs but could not find 
anything that shows an example if using the Order directives under SetEnvIf.

I guess I can stick with the mod_rewrite trick on the ApacheWeek 
article, although I am not sure I have mod_rewrite setup....

Thanks,

Ben Ricker
Wellinx.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Joshua Slive <jo...@slive.ca>.

On Fri, 24 Jan 2003, Ben Ricker wrote:

> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive.

See:
http://www.apacheweek.com/issues/03-01-24#news

I suspect (though I haven't tested) you could also use
SetEnvIf Request_Method TRACE trace_request
Order allow,deny
allow from all
deny from env=trace_request

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org