You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by 吴昊 <wu...@7500.com.cn> on 2015/03/20 01:15:30 UTC

[users@httpd] Re: Apache CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability

2 solutions
as you’ve tried before RewriteCond & RewriteRule is one solution, another is limit & limitExcpet. and please note that even disabling the specific method(s) in  these directives will not remove that method from the Supported Methods line (allow) in an OPTIONS request.


Tks & b.rgds
--
Chris

发件人: surodip.patra@accenture.com [mailto:surodip.patra@accenture.com]
发送时间: Thursday, March 19, 2015 8:44 PM
收件人: users@httpd.apache.org
主题: [users@httpd] Apache CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability

Hi Apache,

I have the below vulnerability:

CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability:



Tried solutions:



a.      Commented the connect module in httpd.conf file : LoadModule proxy_connect_module modules/mod_proxy_connect.so


b.      Changed in httpd-ssl.conf file



# Load Rewrite engine

LoadModule  rewrite_module  path/to/apache/modules/mod_rewrite.so



#Enable Rewrite engine

RewriteEngine On



# Disable TRACE, TRACK, CONNECT, OPTIONS RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|CONNECT|OPTIONS) RewriteRule .* - [F]


But no solutions worked. Can anyone help me to get rid of this vulnerability?

Thanks & Regards,
Surodip Patra
+91-9739883456


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>

Re: [users@httpd] Re: Apache CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability

Posted by Daniel <df...@gmail.com>.

2015-03-20 1:15 GMT+01:00 吴昊 <wu...@7500.com.cn>:

>  2 solutions
>
> as you’ve tried before RewriteCond & RewriteRule is one solution, another
> is limit & limitExcpet. and please note that even disabling the specific
> method(s) in  these directives will not remove that method from the
> Supported Methods line (allow) in an OPTIONS request.
>
>
>
>
>
> Tks & b.rgds
>
> --
>
> Chris
>
>
>
> *发件人:* surodip.patra@accenture.com [mailto:surodip.patra@accenture.com]
> *发送时间:* Thursday, March 19, 2015 8:44 PM
> *收件人:* users@httpd.apache.org
> *主题:* [users@httpd] Apache CONNECT Method Allowed in HTTP Server Or HTTP
> Proxy Server Vulnerability
>
>
>
> Hi Apache,
>
>
>
> I have the below vulnerability:
>
>
>
> CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability:
>
>
>
> *Tried solutions:*
>
>
>
> *a.      *Commented the connect module in httpd.conf file : *LoadModule
> proxy_connect_module modules/mod_proxy_connect.so*
>
>
>
> b.      Changed in httpd-ssl.conf file
>
>
>
> # Load Rewrite engine
>
> LoadModule  rewrite_module  path/to/apache/modules/mod_rewrite.so
>
>
>
> #Enable Rewrite engine
>
> RewriteEngine On
>
>
>
> # Disable TRACE, TRACK, CONNECT, OPTIONS RewriteCond %{REQUEST_METHOD}
> ^(TRACE|TRACK|CONNECT|OPTIONS) RewriteRule .* - [F]
>
>
>
> But no solutions worked. Can anyone help me to get rid of this
> vulnerability?
>
>
>
> Thanks & Regards,
>
> Surodip Patra
>
> +91-9739883456
>
>
>
>
>  ------------------------------
>
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>


Define
ProxyRequests Off

Remove any <Proxy *> directive


These ^^ and that module not loaded should be enough. You don't need
mod_rewrite at all. To disable TRACE you have a specific directive
"TraceEnable off"

CONNECT method is a means to make your server allow others to use it as a
proxy to connect to SSL sites.

If you have all these disabled and you are still being reported for the
same weakness then the check is giving a false positive or reporting about
some other server.

You can try yourself, configure your browser with your server:port as a
proxy. Try to connect to a ssl site then, if you can't, there is no CONNECT
method. You can also do it through command line with tools like "curl"

Regards

-- 
*Daniel Ferradal*
IT Specialist

email         dferradal@gmail.com
linkedin     es.linkedin.com/in/danielferradal