You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Thiago Anderson <s3...@hotmail.com> on 2004/03/18 20:27:37 UTC

[users@httpd] Hello, not aswer to me!! I NEED HELP URGENT

Hello Peoples,
i think about this list, and i post problems, and every posts i not view the 
aswers...
im a problem?

and now i post my problem:

i compile my apache + mod_perl + mod_ssl + php
with follow commands:

groupadd apache
useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin


tar zxpvf apache_1.3.29.tar.gz
tar zxpvf mod_fastcgi-2.4.2.tar.gz
tar zxpvf mod_ssl-2.8.16-1.3.29.tar.gz
tar zxpvf php-4.3.4.tar.gz
tar zxpvf mod_perl-1.0-current.tar.gz

echo "Instalando mod_ssl"

cd mod_ssl-2.8.16-1.3.29
./configure --with-apache=../apache_1.3.29 
--with-crt=/etc/apache/ssl.crt/server.crt 
--with-key=/etc/apache/ssl.key/server.key
make
make instal

echo "Instalando PHP"

cd php-4.3.4
./configure --prefix=/usr --disable-static --sysconfdir=/etc 
--enable-discard-path --with-config-file-path=/etc/apache --enable-safe-mode 
--with-openssl --enable-bcmath --with-bz2 --with-pic --enable-calendar 
--enable-ctype --with-gdbm --with-db3 --enable-ftp --with-iconv --with-gd 
--enable-gd-native-ttf --with-jpeg-dir=/usr --with-png --with-gmp 
--with-mysql --with-xml --with-gettext=shared/usr --with-mm=/usr 
--enable-trans-sid --enable-shmop --enable-sockets --with-regex=php 
--enable-sysvsem --enable-sysvshm --enable-yp --enable-memory-limit 
--with-tsrm-pthreads --enable-shared --disable-debug --with-zlib=/usr 
--with-apache=../apache_1.3.29
make
make install

echo "Instalando APACHE + mod_perl"

cd mod_perl-1.29
perl Makefile.PL APACHE_SRC=../apache_1.3.29/src DO_HTTPD=1 
USE_APACI=1EVERYTHING=1 APACI_ARGS='--prefix=/usr/local/apache 
--disable-module=all --server-uid=apache --server-gid=apache 
--enable-module=access --enable-module=log_config --enable-module=dir 
--enable-module=mime --enable-module=auth 
--activate-module=src/modules/fastcgi/libfastcgi.a 
--activate-module=src/modules/php4/libphp4.a'
make
make test
make install
chown -R root:sys /usr/local/apache

and i run the nessus scan to view vulnerabilities and i follow this error in 
apache:



Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

Solution: Disable these methods.


If you are using Apache, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
    <Client method="TRACE">
     AuthTrans fn="set-variable"
     remove-headers="transfer-encoding"
     set-headers="content-length: -1"
     error="501"
    </Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603


See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
    http://www.kb.cert.org/vuls/id/867593

Risk factor : Medium




I need help i do stop this, my procediments is:
add lines:

RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

and i

add in my configure with any vhost this lines...

i need help.... =)

_________________________________________________________________
MSN Messenger: instale grátis e converse com seus amigos. 
http://messenger.msn.com.br


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Hello, not aswer to me!! I NEED HELP URGENT

Posted by Brian Dessent <br...@dessent.net>.

Thiago Anderson wrote:
> 
> Hello Peoples,
> i think about this list, and i post problems, and every posts i not view the
> aswers...
> im a problem?

Three people already replied to you when you posted the first time.  Are
you sure that you're subscribed to the list?

Brian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org