You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Thomas George <tg...@ibaset.com> on 2003/12/01 18:40:07 UTC
[users@httpd] Recompiling Without HTTP TRACE
Hello,
I need help recompiling Apache 2.0.48 without HTTP TRACE enabled... if
anyone knows how that's done.
Thanks..!
Thomas
____________________________________________________
Thomas George
iBASEt
619.269.7900
____________________________________________________
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Kyle Dent <kd...@seaglass.com>.
On Wed, 3 Dec 2003, Kyle Dent wrote:
> On Wed, 3 Dec 2003, Thomas George wrote:
>
> > It's not a choice I get to make.
> >
> > Our security group follows policies given to them by the federal government,
> > and HTTP TRACE has been identified as a vulnerability; maybe they know
> > something I don't...?
> >
> > Anyhow, I still would like to know if it's possible to turn it off during
> > compilation, and how to do it.
>
> You have to edit the source code and recompile. Without having
> done it, my guess is that you could accomplish this with some
> carefully placed comments in ./modules/http_protocol.c, but you'd
> better test things thoroughly after you make your changes.
>
> Kyle
I should have pointed out that if you're not experienced, it's
entirely possible that you could introduce an _actual_
vulnerability when you make changes to the source code.
Kyle
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Kyle Dent <kd...@seaglass.com>.
On Wed, 3 Dec 2003, Thomas George wrote:
> It's not a choice I get to make.
>
> Our security group follows policies given to them by the federal government,
> and HTTP TRACE has been identified as a vulnerability; maybe they know
> something I don't...?
>
> Anyhow, I still would like to know if it's possible to turn it off during
> compilation, and how to do it.
You have to edit the source code and recompile. Without having
done it, my guess is that you could accomplish this with some
carefully placed comments in ./modules/http_protocol.c, but you'd
better test things thoroughly after you make your changes.
Kyle
> -----Original Message-----
> From: Joshua Slive [mailto:joshua@slive.ca]
> Sent: Monday, December 01, 2003 6:11 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Recompiling Without HTTP TRACE
>
>
> On Mon, 1 Dec 2003, Thomas George wrote:
> > I'm not really familiar with the map_to_storage hook, or why it wouldn't
> > make sense to disable a potential security vulnerability if I don't need
> it
> > (please let me know your thoughts on this).
>
> Read the links in the email that I sent you. You will find that TRACE is
> not a security vulnerability (real or potential).
>
> If you don't feel like reading the apache source code, I recommend you
> don't plan on mucking with it.
>
> Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Recompiling Without HTTP TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 3 Dec 2003, Aaron W Morris wrote:
> Joshua, please give it up. Your jihad against the idea of disabling
> TRACE well meant, I realize, but utterly foolish. People are not
> disabling TRACE because they *want* to; the decision has already been
> made. They *have* to do it.
Hmmm... I should stop telling people the truth about the issue? Seems
like a strange request.
> It is hard enough to fight an idea with hard evidence. It is a hell of
> a lot harder when all you have is what some guy says on a mailing list
> and a couple of USENET postings (some of which by the same guy).
Where is the evidence that TRACE *is* a security vulnerability?
This is exactly the kind of cargo cult [1] that we need to fight.
If you let them go, people keep repeating them until the repetition itself
makes them seem like truth.
You are absolutely correct that you shouldn't trust my word for it or what
you read in some email from some random person. But that is not what I
said. I said to go look it up, and I provided an example on where to
start. Go read the *complete* thread from bugtraq or go read the
discussion from the dev@httpd.apache.org mailing list.
Or check the credentials on the people you are reading.
This email:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-01/0233.html
was written by Marc Slemko, one of the foremost experts on Cross-site
scripting (of wich the alleged TRACE vulnerability is a variation) and a
member of the Apache core development group.
This article:
http://www.apacheweek.com/issues/03-01-24#news
was written by Mark J Cox, head of Redhat's security response team and an
Apache core developer.
Joshua.
[1] http://www.physics.brocku.ca/etc/cargo_cult_science.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Recompiling Without HTTP TRACE
Posted by André Malo <nd...@perlig.de>.
* Aaron W Morris <aa...@mindspring.com> wrote:
> Joshua, please give it up. Your jihad against the idea of disabling
> TRACE well meant, I realize, but utterly foolish. People are not
> disabling TRACE because they *want* to; the decision has already been
> made. They *have* to do it.
seems so, yeah :-(
> It is hard enough to fight an idea with hard evidence. It is a hell of
> a lot harder when all you have is what some guy says on a mailing list
> and a couple of USENET postings (some of which by the same guy).
People (who decide this and who are ahrassing other folks with such stuff)
have to learn it. Joshua's answers are quite authoritative regarding the
issue. If someone doesn't believe it, decides to patch something and doesn't
have the resources to do, he should rethink his aim or pay someone else to do
it ...
nd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Recompiling Without HTTP TRACE
Posted by Aaron W Morris <aa...@mindspring.com>.
Joshua Slive wrote:
> On Wed, 3 Dec 2003, Thomas George wrote:
>
>
>>Joshua,
>>
>>It's not a choice I get to make.
>>
>>Our security group follows policies given to them by the federal government,
>>and HTTP TRACE has been identified as a vulnerability; maybe they know
>>something I don't...?
>
>
> That's quite a vague reference to an imprecise authority. I have a
> feeling if you really tracked this down, you'd find you are making a
> mistake.
>
>
>>Anyhow, I still would like to know if it's possible to turn it off during
>>compilation, and how to do it.
>
>
> Sure it's possible. It involves doing some quantity of source-code
> hacking. And I wouldn't recommend it.
>
> Is it possible to do it without hacking the source? No.
>
> Joshua.
>
Joshua, please give it up. Your jihad against the idea of disabling
TRACE well meant, I realize, but utterly foolish. People are not
disabling TRACE because they *want* to; the decision has already been
made. They *have* to do it.
It is hard enough to fight an idea with hard evidence. It is a hell of
a lot harder when all you have is what some guy says on a mailing list
and a couple of USENET postings (some of which by the same guy).
--
Aaron W Morris <aa...@mindspring.com> (decep)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 3 Dec 2003, Thomas George wrote:
> Joshua,
>
> It's not a choice I get to make.
>
> Our security group follows policies given to them by the federal government,
> and HTTP TRACE has been identified as a vulnerability; maybe they know
> something I don't...?
That's quite a vague reference to an imprecise authority. I have a
feeling if you really tracked this down, you'd find you are making a
mistake.
> Anyhow, I still would like to know if it's possible to turn it off during
> compilation, and how to do it.
Sure it's possible. It involves doing some quantity of source-code
hacking. And I wouldn't recommend it.
Is it possible to do it without hacking the source? No.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Thomas George <tg...@ibaset.com>.
Joshua,
It's not a choice I get to make.
Our security group follows policies given to them by the federal government,
and HTTP TRACE has been identified as a vulnerability; maybe they know
something I don't...?
Anyhow, I still would like to know if it's possible to turn it off during
compilation, and how to do it.
Thanks,
Thomas
-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca]
Sent: Monday, December 01, 2003 6:11 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Recompiling Without HTTP TRACE
On Mon, 1 Dec 2003, Thomas George wrote:
> I'm not really familiar with the map_to_storage hook, or why it wouldn't
> make sense to disable a potential security vulnerability if I don't need
it
> (please let me know your thoughts on this).
Read the links in the email that I sent you. You will find that TRACE is
not a security vulnerability (real or potential).
If you don't feel like reading the apache source code, I recommend you
don't plan on mucking with it.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 1 Dec 2003, Thomas George wrote:
> I'm not really familiar with the map_to_storage hook, or why it wouldn't
> make sense to disable a potential security vulnerability if I don't need it
> (please let me know your thoughts on this).
Read the links in the email that I sent you. You will find that TRACE is
not a security vulnerability (real or potential).
If you don't feel like reading the apache source code, I recommend you
don't plan on mucking with it.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Thomas George <tg...@ibaset.com>.
André,
I'm not really familiar with the map_to_storage hook, or why it wouldn't
make sense to disable a potential security vulnerability if I don't need it
(please let me know your thoughts on this).
'disabling' would be not enabling a module during the ..configure process...
i.e.:
./configure --enable-mods-shared=all --disable-info
What I need to know, is if HTTP TRACE can be disabled this way, or if I need
to try another approach.
Thanks,
Thomas
-----Original Message-----
From: André Malo [mailto:nd@perlig.de]
Sent: Monday, December 01, 2003 12:21 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Recompiling Without HTTP TRACE
* "Thomas George" <tg...@ibaset.com> wrote:
> Thanks, but I'm already using the ModRewrite solution.
>
> Since I am recompiling Apache anyways, I think would make sense to disable
> this <i>feature</i> at the same time.
>
> Any suggestions would be appreciated.
It sounds quite simple to me. First you need to define, what "disabling"
means. And then modify the behaviour to the desired one. It's basically
located in the map_to_storage hook, iirc.
And no, it doesn't make sense to me as well, but you probably won't care ;-)
nd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Recompiling Without HTTP TRACE
Posted by André Malo <nd...@perlig.de>.
* "Thomas George" <tg...@ibaset.com> wrote:
> Thanks, but I'm already using the ModRewrite solution.
>
> Since I am recompiling Apache anyways, I think would make sense to disable
> this <i>feature</i> at the same time.
>
> Any suggestions would be appreciated.
It sounds quite simple to me. First you need to define, what "disabling"
means. And then modify the behaviour to the desired one. It's basically
located in the map_to_storage hook, iirc.
And no, it doesn't make sense to me as well, but you probably won't care ;-)
nd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Recompiling Without HTTP TRACE
Posted by Thomas George <tg...@ibaset.com>.
Thanks, but I'm already using the ModRewrite solution.
Since I am recompiling Apache anyways, I think would make sense to disable
this <i>feature</i> at the same time.
Any suggestions would be appreciated.
Thomas
-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca]
Sent: Monday, December 01, 2003 10:46 AM
To: 'Apache List'
Subject: Re: [users@httpd] Recompiling Without HTTP TRACE
On Mon, 1 Dec 2003, Thomas George wrote:
> I need help recompiling Apache 2.0.48 without HTTP TRACE enabled... if
> anyone knows how that's done.
Ughhh!
See:
http://marc.theaimsgroup.com/?l=apache-httpd-users&m=106928303016265&w=2
(Looks like this might need to go in the FAQ.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Recompiling Without HTTP TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 1 Dec 2003, Thomas George wrote:
> I need help recompiling Apache 2.0.48 without HTTP TRACE enabled... if
> anyone knows how that's done.
Ughhh!
See:
http://marc.theaimsgroup.com/?l=apache-httpd-users&m=106928303016265&w=2
(Looks like this might need to go in the FAQ.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org