You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Boyle Owen <Ow...@swx.com> on 2004/03/19 09:58:55 UTC

RE: [users@httpd] Hello, not aswer to me!! I NEED HELP URGENT 

> -----Original Message-----
> From: Thiago Anderson [mailto:s3ri4l@hotmail.com]
> Sent: Donnerstag, 18. März 2004 20:28
> To: users@httpd.apache.org
> Subject: [users@httpd] Hello, not aswer to me!! I NEED HELP URGENT
> 
> 
> Hello Peoples,
> i think about this list, and i post problems, and every posts 
> i not view the 
> aswers...
> im a problem?

Do you not read the other posts on the list?

This exact question came up a few days ago and was answered thoroughly:
http://marc.theaimsgroup.com/?l=apache-httpd-users&m=107962158505422&w=2

To summarise: There is NO PROBLEM with your apache installation. It is
only "nessus scan" which thinks it has found a problem. TRACE is *not* a
real vulnerability. Also, have you confirmed that apache is *really*
responding to the TRACE request? 

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


> 
> and now i post my problem:
> 
> i compile my apache + mod_perl + mod_ssl + php
> with follow commands:
> 
> groupadd apache
> useradd apache -c "Apache Server" -d /dev/null -g apache -s 
> /sbin/nologin
> 
> 
> tar zxpvf apache_1.3.29.tar.gz
> tar zxpvf mod_fastcgi-2.4.2.tar.gz
> tar zxpvf mod_ssl-2.8.16-1.3.29.tar.gz
> tar zxpvf php-4.3.4.tar.gz
> tar zxpvf mod_perl-1.0-current.tar.gz
> 
> echo "Instalando mod_ssl"
> 
> cd mod_ssl-2.8.16-1.3.29
> ./configure --with-apache=../apache_1.3.29 
> --with-crt=/etc/apache/ssl.crt/server.crt 
> --with-key=/etc/apache/ssl.key/server.key
> make
> make instal
> 
> echo "Instalando PHP"
> 
> cd php-4.3.4
> ./configure --prefix=/usr --disable-static --sysconfdir=/etc 
> --enable-discard-path --with-config-file-path=/etc/apache 
> --enable-safe-mode 
> --with-openssl --enable-bcmath --with-bz2 --with-pic 
> --enable-calendar 
> --enable-ctype --with-gdbm --with-db3 --enable-ftp 
> --with-iconv --with-gd 
> --enable-gd-native-ttf --with-jpeg-dir=/usr --with-png --with-gmp 
> --with-mysql --with-xml --with-gettext=shared/usr --with-mm=/usr 
> --enable-trans-sid --enable-shmop --enable-sockets --with-regex=php 
> --enable-sysvsem --enable-sysvshm --enable-yp --enable-memory-limit 
> --with-tsrm-pthreads --enable-shared --disable-debug --with-zlib=/usr 
> --with-apache=../apache_1.3.29
> make
> make install
> 
> echo "Instalando APACHE + mod_perl"
> 
> cd mod_perl-1.29
> perl Makefile.PL APACHE_SRC=../apache_1.3.29/src DO_HTTPD=1 
> USE_APACI=1EVERYTHING=1 APACI_ARGS='--prefix=/usr/local/apache 
> --disable-module=all --server-uid=apache --server-gid=apache 
> --enable-module=access --enable-module=log_config --enable-module=dir 
> --enable-module=mime --enable-module=auth 
> --activate-module=src/modules/fastcgi/libfastcgi.a 
> --activate-module=src/modules/php4/libphp4.a'
> make
> make test
> make install
> chown -R root:sys /usr/local/apache
> 
> and i run the nessus scan to view vulnerabilities and i 
> follow this error in 
> apache:
> 
> 
> 
> Your webserver supports the TRACE and/or TRACK methods. TRACE 
> and TRACK
> are HTTP methods which are used to debug web server connections.
> 
> It has been shown that servers supporting this method are subject
> to cross-site-scripting attacks, dubbed XST for
> "Cross-Site-Tracing", when used in conjunction with
> various weaknesses in browsers.
> 
> An attacker may use this flaw to trick your
> legitimate web users to give him their
> credentials.
> 
> Solution: Disable these methods.
> 
> 
> If you are using Apache, add the following lines for each virtual
> host in your configuration file :
> 
>     RewriteEngine on
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
> 
> If you are using Microsoft IIS, use the URLScan tool to deny 
> HTTP TRACE
> requests or to permit only the methods needed to meet site 
> requirements
> and policy.
> 
> If you are using Sun ONE Web Server releases 6.0 SP2 and 
> later, add the
> following to the default object section in obj.conf:
>     <Client method="TRACE">
>      AuthTrans fn="set-variable"
>      remove-headers="transfer-encoding"
>      set-headers="content-length: -1"
>      error="501"
>     </Client>
> 
> If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
> the NSAPI plugin located at:
>    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
> 
> 
> See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
>     http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
>     http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
>     http://www.kb.cert.org/vuls/id/867593
> 
> Risk factor : Medium
> 
> 
> 
> 
> I need help i do stop this, my procediments is:
> add lines:
> 
> RewriteEngine on
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
> 
> and i
> 
> add in my configure with any vhost this lines...
> 
> i need help.... =)
> 
> _________________________________________________________________
> MSN Messenger: instale grátis e converse com seus amigos. 
> http://messenger.msn.com.br
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org