You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ben Ricker <br...@wellinx.com> on 2003/01/24 21:46:02 UTC
[users@httpd] The "Limit" Directive and TRACE
I am trying to fortify a web server running Apache 1.3.27 against
cross-site scripting (see
http://www.extremetech.com/article2/0,3973,841047,00.asp for more
information).
The problem is that I am trying to disallow the use of TRACE using the
LIMIT directive. Here is a 'Limit' directives snippet from the Apache
docs (http://httpd.apache.org/docs/mod/core.html#limit).
When I put the following in the httpd.conf:
<Limit TRACE>
Deny from All
</Limit>
I get the following error:
../bin/apachectl configtest
Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
TRACE cannot be controlled by <Limit>
Am I missing something here?
Ben Ricker
Wellinx.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Sander Holthaus - Orange XL <in...@orangexl.com>.
I use this on all my vhosts
<LimitExcept GET HEAD POST>
Order deny,allow
Deny from all
</LimitExcept>
Don't know if it'll help you out.
----- Original Message -----
From: "Ben Ricker" <br...@wellinx.com>
To: <us...@httpd.apache.org>
Sent: Friday, January 24, 2003 9:46 PM
Subject: [users@httpd] The "Limit" Directive and TRACE
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive. Here is a 'Limit' directives snippet from the Apache
> docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Richard Pyne <rp...@kinfolk.org>.
Before you spend too much time on it, read:
http://online.securityfocus.com/archive/1/307778
--Richard
On Friday 24 January 2003 01:46 pm, Ben Ricker wrote:
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using
> the LIMIT directive. Here is a 'Limit' directives snippet from the
> Apache docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> -------------------------------------------------------------------
>-- The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org "
> from the digest: users-digest-unsubscribe@httpd.apache.org For
> additional commands, e-mail: users-help@httpd.apache.org
--
Richard B. Pyne
rpyne@kinfolk.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 24 Jan 2003, Ben Ricker wrote:
> > I suspect (though I haven't tested) you could also use
> > SetEnvIf Request_Method TRACE trace_request
> > Order allow,deny
> > allow from all
> > deny from env=trace_request
>
> Hmmm....Apache does not like the Order directive scoped under SetEnvIf.
> It does not work in 1.3.27. I looked over the docs but could not find
> anything that shows an example if using the Order directives under SetEnvIf.
It isn't the SetEnvIf that is the problem. It is the context of Order.
It can't be placed in the main server context, it must be inside a
container, as in
SetEnvIf ....
<Location />
Order allow,deny
allow from all
deny from env="trace_request
</Location>
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Ben Ricker <br...@wellinx.com>.
Joshua Slive wrote:
> On Fri, 24 Jan 2003, Ben Ricker wrote:
>
>
>>I am trying to fortify a web server running Apache 1.3.27 against
>>cross-site scripting (see
>>http://www.extremetech.com/article2/0,3973,841047,00.asp for more
>>information).
>>
>>The problem is that I am trying to disallow the use of TRACE using the
>>LIMIT directive.
>
>
> See:
> http://www.apacheweek.com/issues/03-01-24#news
That was a helpful article and it makes sense that the vulnerability is
not SO huge as Whitehatsec makes it out to be, in the sense that it is
not necessarily Apache's issue.
> I suspect (though I haven't tested) you could also use
> SetEnvIf Request_Method TRACE trace_request
> Order allow,deny
> allow from all
> deny from env=trace_request
Hmmm....Apache does not like the Order directive scoped under SetEnvIf.
It does not work in 1.3.27. I looked over the docs but could not find
anything that shows an example if using the Order directives under SetEnvIf.
I guess I can stick with the mod_rewrite trick on the ApacheWeek
article, although I am not sure I have mod_rewrite setup....
Thanks,
Ben Ricker
Wellinx.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 24 Jan 2003, Ben Ricker wrote:
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive.
See:
http://www.apacheweek.com/issues/03-01-24#news
I suspect (though I haven't tested) you could also use
SetEnvIf Request_Method TRACE trace_request
Order allow,deny
allow from all
deny from env=trace_request
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org