You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by egc <co...@verizon.net> on 2010/11/22 22:54:44 UTC
[users@httpd] interpreting Nessus scan results | TRACE & TRACK?
Greetings --
Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks (or,
at least the ones I'm familiar with) in place. Had our network types run
a Nessus scan against the host - all fine, except for the following,
which I'm having trouble interpreting (and hoping for some
'interpretative guidance' here). It suggests using a rewrite to handle
the issue (something I've never done). I'm also not entirely sure of
what TRACE and TRACK do?
Thanks in advance -- semi-newbie, so flame throwers to 'singe only'
please. ;-)
Basically, the scan found the following 'moderate risk' issue:
Synopsis :
Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.
See also :
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1
Solution :
Disable these methods. Refer to the plugin output for more information.
Risk factor :
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.9
(CVSS2#E:F/RL:W/RC:C)
Public Exploit Available : true
Plugin output :
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] interpreting Nessus scan results | TRACE & TRACK?
Posted by egc <co...@verizon.net>.
On 11/22/2010 5:04 PM, Jeroen Geilman wrote:
> On 11/22/2010 10:54 PM, egc wrote:
>> Greetings --
>>
>> Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks
>> (or, at least the ones I'm familiar with) in place. Had our network
>> types run a Nessus scan against the host - all fine, except for the
>> following, which I'm having trouble interpreting (and hoping for some
>> 'interpretative guidance' here). It suggests using a rewrite to
>> handle the issue (something I've never done). I'm also not entirely
>> sure of what TRACE and TRACK do?
>>
>
> The nessus text tells you exactly what they are for, and how to
> disable them.
>
>
No -- they tell *you* (perhaps) what they are. I was looking for a
pointer to some documentation so that *I* (semi-newbie) could understand
them.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] interpreting Nessus scan results | TRACE & TRACK?
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 11/22/2010 10:54 PM, egc wrote:
> Greetings --
>
> Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks
> (or, at least the ones I'm familiar with) in place. Had our network
> types run a Nessus scan against the host - all fine, except for the
> following, which I'm having trouble interpreting (and hoping for some
> 'interpretative guidance' here). It suggests using a rewrite to handle
> the issue (something I've never done). I'm also not entirely sure of
> what TRACE and TRACK do?
>
The nessus text tells you exactly what they are for, and how to disable
them.
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] interpreting Nessus scan results | TRACE & TRACK?
Posted by Justin Pasher <ju...@distribion.com>.
----- Original Message -----
> From: egc <co...@verizon.net>
> Date: Mon, 22 Nov 2010 16:54:44 -0500
> Subject: [users@httpd] interpreting Nessus scan results | TRACE & TRACK?
> To: users@httpd.apache.org
>
>
> Greetings --
>
> Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks
> (or, at least the ones I'm familiar with) in place. Had our network
> types run a Nessus scan against the host - all fine, except for the
> following, which I'm having trouble interpreting (and hoping for some
> 'interpretative guidance' here). It suggests using a rewrite to handle
> the issue (something I've never done). I'm also not entirely sure of
> what TRACE and TRACK do?
Just set the TraceEnable directive to off. The rewrite rules only apply
for older versions of apache that did not support TraceEnable.
--
Justin Pasher
Distribion
http://support.distribion.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org