You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Yaniv Ofer <Of...@comverse.com> on 2007/02/13 12:00:45 UTC
[users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Hello
Our application is running over Apache 1.3.33.
As a result of a failed security test, we have been asked to disable the
TRACE HTTP method on our Apache Server.
Could you please refer me to a configuration/patch/fix that would
disable the TRACE HTTP method for Apache 1.3.33 Server?
Our Server should refuse the following HTTP TRACE request:
==========================================================
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
==========================================================
Our current server replies with 200 OK for that request.
Thanks
Ofer
RE: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Chirouze Olivier <ol...@volvo.com>.
Hi,
I think you should manage to do this by using RewriteCond directive and
REQUEST_METHOD environment variable
(http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond). You
should be able to build a test that says "if http method is TRACE,
then... Then forbid"
Next line should then be a RewriteRule that makes the request forbidden.
It *should* look like that (I haven't tested):
RewriteCond %{REQUEST_METHOD} ^TRACE$
RewriteRule .* [F]
Hope that'll help (please tell us).
Olivier
Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
________________________________
From: Yaniv Ofer [mailto:Ofer.Yaniv@comverse.com]
Sent: 13 February 2007 12:01
To: users@httpd.apache.org
Subject: [users@httpd] Disable TRACE HTTP method on Apache
1.3.33
Hello
Our application is running over Apache 1.3.33.
As a result of a failed security test, we have been asked to
disable the TRACE HTTP method on our Apache Server.
Could you please refer me to a configuration/patch/fix that
would disable the TRACE HTTP method for Apache 1.3.33 Server?
Our Server should refuse the following HTTP TRACE request:
==========================================================
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
==========================================================
Our current server replies with 200 OK for that request.
Thanks
Ofer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Pid <p...@pidster.com>.
Steve Swift wrote:
> Try this, then:
>
> # Suppress the TRACE and TRACK methods to avoid cross-site scripting
> vulnerability
> <IfModule mod_rewrite.c>
> RewriteEngine on
> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> RewriteRule .* - [F]
> </IfModule>
>
> On 13/02/07, *Yaniv Ofer* <Ofer.Yaniv@comverse.com
> <ma...@comverse.com>> wrote:
>
>
> Hi p
>
> It says here that the TRACE method cannot be limited.
my bad, apologies.
Steve is right above.
> -Ofer
>
> http://httpd.apache.org/docs/1.3/mod/core.html#limit
> ========================================================================
>
> ===========================================
> <Limit> directive
> Syntax: <Limit method [method] ... > ... </Limit>
> Context: any
> Status: core
> Access controls are normally effective for all access methods, and this
> is the usual desired behavior. In the general case, access control
> directives should not be placed within a <limit> section.
>
> The purpose of the <Limit> directive is to restrict the effect of the
> access controls to the nominated HTTP methods. For all other methods,
> the access restrictions that are enclosed in the <Limit> bracket will
> have no effect. The following example applies the access control
> only to
> the methods POST, PUT, and DELETE, leaving all other methods
> unprotected:
>
> <Limit POST PUT DELETE>
> Require valid-user
> </Limit>
> The method names listed can be one or more of: GET, POST, PUT, DELETE,
> CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
> and UNLOCK. The method name is case-sensitive. If GET is used it will
> also restrict HEAD requests. The TRACE method cannot be limited.
>
> Warning: A <LimitExcept> section should always be used in preference to
> a <Limit> section when restricting access, since a <LimitExcept> section
> provides protection against arbitrary methods.
> ========================================================================
>
> ===========================================
>
>
> -----Original Message-----
> From: Pid [mailto:p@pidster.com <ma...@pidster.com>]
> Sent: Tuesday, February 13, 2007 1:30 PM
> To: users@httpd.apache.org <ma...@httpd.apache.org>
> Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
>
> try this...
>
>
> http://httpd.apache.org/docs/1.3/mod/core.html#limit
> <http://httpd.apache.org/docs/1.3/mod/core.html#limit>
>
> <Limit TRACE>
> Deny from all
> </Limit>
>
>
> p
>
>
> Yaniv Ofer wrote:
> > Hello
> >
> > Our application is running over Apache 1.3.33.
> >
> > As a result of a failed security test, we have been asked to disable
> > the TRACE HTTP method on our Apache Server.
> >
> > Could you please refer me to a configuration/patch/fix that would
> > disable the TRACE HTTP method for Apache 1.3.33 Server?
> >
> > Our Server should refuse the following HTTP TRACE request:
> >
> > ==========================================================
> >
> > TRACE /inbox?Uid=379%2D100 HTTP/1.1
> >
> > Host: 172.17.129.61:50084 <http://172.17.129.61:50084>
> >
> > ==========================================================
> >
> > Our current server replies with 200 OK for that request.
> >
> > Thanks
> >
> > Ofer
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
>
>
>
> --
> Steve Swift
> http://www.swiftys.org.uk
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Yaniv Ofer <Of...@comverse.com>.
Hi Steve
I still get HTTP 200 OK for a TRACE HTTP request.
Attached is my httpd.conf.
I already have "rewriteengine on" at my conf file with other rewrite
conditions/rules ( not related to TRACE ).
Does the rewrite module configuration at the attached file OK?
-Ofer
==============================================================
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
HTTP/1.1 200 OK
Date: Tue, 13 Feb 2007 11:51:02 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http
42
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
0
==============================================================
________________________________
From: Steve Swift [mailto:steve.j.swift@gmail.com]
Sent: Tuesday, February 13, 2007 1:38 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Try this, then:
# Suppress the TRACE and TRACK methods to avoid cross-site scripting
vulnerability
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
On 13/02/07, Yaniv Ofer <Of...@comverse.com> wrote:
Hi p
It says here that the TRACE method cannot be limited.
-Ofer
http://httpd.apache.org/docs/1.3/mod/core.html#limit
========================================================================
===========================================
<Limit> directive
Syntax: <Limit method [method] ... > ... </Limit>
Context: any
Status: core
Access controls are normally effective for all access methods,
and this
is the usual desired behavior. In the general case, access
control
directives should not be placed within a <limit> section.
The purpose of the <Limit> directive is to restrict the effect
of the
access controls to the nominated HTTP methods. For all other
methods,
the access restrictions that are enclosed in the <Limit> bracket
will
have no effect. The following example applies the access control
only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:
<Limit POST PUT DELETE>
Require valid-user
</Limit>
The method names listed can be one or more of: GET, POST, PUT,
DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE,
LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it
will
also restrict HEAD requests. The TRACE method cannot be limited.
Warning: A <LimitExcept> section should always be used in
preference to
a <Limit> section when restricting access, since a <LimitExcept>
section
provides protection against arbitrary methods.
========================================================================
===========================================
-----Original Message-----
From: Pid [mailto:p@pidster.com]
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache
1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
<Limit TRACE>
Deny from all
</Limit>
p
Yaniv Ofer wrote:
> Hello
>
> Our application is running over Apache 1.3.33.
>
> As a result of a failed security test, we have been asked to
disable
> the TRACE HTTP method on our Apache Server.
>
> Could you please refer me to a configuration/patch/fix that
would
> disable the TRACE HTTP method for Apache 1.3.33 Server?
>
> Our Server should refuse the following HTTP TRACE request:
>
> ==========================================================
>
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
>
> Host: 172.17.129.61:50084
>
> ==========================================================
>
> Our current server replies with 200 OK for that request.
>
> Thanks
>
> Ofer
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest:
users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest:
users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
--
Steve Swift
http://www.swiftys.org.uk
Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Steve Swift <st...@gmail.com>.
Try this, then:
# Suppress the TRACE and TRACK methods to avoid cross-site scripting
vulnerability
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
On 13/02/07, Yaniv Ofer <Of...@comverse.com> wrote:
>
>
> Hi p
>
> It says here that the TRACE method cannot be limited.
>
> -Ofer
>
> http://httpd.apache.org/docs/1.3/mod/core.html#limit
> ========================================================================
> ===========================================
> <Limit> directive
> Syntax: <Limit method [method] ... > ... </Limit>
> Context: any
> Status: core
> Access controls are normally effective for all access methods, and this
> is the usual desired behavior. In the general case, access control
> directives should not be placed within a <limit> section.
>
> The purpose of the <Limit> directive is to restrict the effect of the
> access controls to the nominated HTTP methods. For all other methods,
> the access restrictions that are enclosed in the <Limit> bracket will
> have no effect. The following example applies the access control only to
> the methods POST, PUT, and DELETE, leaving all other methods
> unprotected:
>
> <Limit POST PUT DELETE>
> Require valid-user
> </Limit>
> The method names listed can be one or more of: GET, POST, PUT, DELETE,
> CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
> and UNLOCK. The method name is case-sensitive. If GET is used it will
> also restrict HEAD requests. The TRACE method cannot be limited.
>
> Warning: A <LimitExcept> section should always be used in preference to
> a <Limit> section when restricting access, since a <LimitExcept> section
> provides protection against arbitrary methods.
> ========================================================================
> ===========================================
>
>
> -----Original Message-----
> From: Pid [mailto:p@pidster.com]
> Sent: Tuesday, February 13, 2007 1:30 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
>
> try this...
>
>
> http://httpd.apache.org/docs/1.3/mod/core.html#limit
>
> <Limit TRACE>
> Deny from all
> </Limit>
>
>
> p
>
>
> Yaniv Ofer wrote:
> > Hello
> >
> > Our application is running over Apache 1.3.33.
> >
> > As a result of a failed security test, we have been asked to disable
> > the TRACE HTTP method on our Apache Server.
> >
> > Could you please refer me to a configuration/patch/fix that would
> > disable the TRACE HTTP method for Apache 1.3.33 Server?
> >
> > Our Server should refuse the following HTTP TRACE request:
> >
> > ==========================================================
> >
> > TRACE /inbox?Uid=379%2D100 HTTP/1.1
> >
> > Host: 172.17.129.61:50084
> >
> > ==========================================================
> >
> > Our current server replies with 200 OK for that request.
> >
> > Thanks
> >
> > Ofer
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Steve Swift
http://www.swiftys.org.uk
RE: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Yaniv Ofer <Of...@comverse.com>.
Thanks!!!
-----Original Message-----
From: Pid [mailto:p@pidster.com]
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
<Limit TRACE>
Deny from all
</Limit>
p
Yaniv Ofer wrote:
> Hello
>
> Our application is running over Apache 1.3.33.
>
> As a result of a failed security test, we have been asked to disable
> the TRACE HTTP method on our Apache Server.
>
> Could you please refer me to a configuration/patch/fix that would
> disable the TRACE HTTP method for Apache 1.3.33 Server?
>
> Our Server should refuse the following HTTP TRACE request:
>
> ==========================================================
>
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
>
> Host: 172.17.129.61:50084
>
> ==========================================================
>
> Our current server replies with 200 OK for that request.
>
> Thanks
>
> Ofer
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Yaniv Ofer <Of...@comverse.com>.
Hi p
It says here that the TRACE method cannot be limited.
-Ofer
http://httpd.apache.org/docs/1.3/mod/core.html#limit
========================================================================
===========================================
<Limit> directive
Syntax: <Limit method [method] ... > ... </Limit>
Context: any
Status: core
Access controls are normally effective for all access methods, and this
is the usual desired behavior. In the general case, access control
directives should not be placed within a <limit> section.
The purpose of the <Limit> directive is to restrict the effect of the
access controls to the nominated HTTP methods. For all other methods,
the access restrictions that are enclosed in the <Limit> bracket will
have no effect. The following example applies the access control only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:
<Limit POST PUT DELETE>
Require valid-user
</Limit>
The method names listed can be one or more of: GET, POST, PUT, DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it will
also restrict HEAD requests. The TRACE method cannot be limited.
Warning: A <LimitExcept> section should always be used in preference to
a <Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
========================================================================
===========================================
-----Original Message-----
From: Pid [mailto:p@pidster.com]
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
<Limit TRACE>
Deny from all
</Limit>
p
Yaniv Ofer wrote:
> Hello
>
> Our application is running over Apache 1.3.33.
>
> As a result of a failed security test, we have been asked to disable
> the TRACE HTTP method on our Apache Server.
>
> Could you please refer me to a configuration/patch/fix that would
> disable the TRACE HTTP method for Apache 1.3.33 Server?
>
> Our Server should refuse the following HTTP TRACE request:
>
> ==========================================================
>
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
>
> Host: 172.17.129.61:50084
>
> ==========================================================
>
> Our current server replies with 200 OK for that request.
>
> Thanks
>
> Ofer
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Posted by Pid <p...@pidster.com>.
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
<Limit TRACE>
Deny from all
</Limit>
p
Yaniv Ofer wrote:
> Hello
>
> Our application is running over Apache 1.3.33.
>
> As a result of a failed security test, we have been asked to disable the
> TRACE HTTP method on our Apache Server.
>
> Could you please refer me to a configuration/patch/fix that would
> disable the TRACE HTTP method for Apache 1.3.33 Server?
>
> Our Server should refuse the following HTTP TRACE request:
>
> ==========================================================
>
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
>
> Host: 172.17.129.61:50084
>
> ==========================================================
>
> Our current server replies with 200 OK for that request.
>
> Thanks
>
> Ofer
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org