You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joshua Slive <jo...@slive.ca> on 2004/03/18 15:49:31 UTC
[users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29
On Thu, 18 Mar 2004, Thiago Anderson wrote:
> i edit my httpd.conf and include the lines:
>
> RewriteEngine on
> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> RewriteRule .* - [F]
>
> and
> in virtual hosts i add this line too...
>
> but i scan the server with nessus i see the message again...
1. TRACE is not a real vulnerability. See the archives of this list or
http://www.apacheweek.com/issues/03-01-24#news
for example. So I wouldn't waster your time with this.
2. Don't trust your scanner. Try a manual TRACE request using telnet and
see if it suceeds.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with
Apache 1.3.29
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 18 Mar 2004, Milan Andric wrote:
> Also, in case you do find TRACE a problem, I don't think rewrite is necessary.
> The Limit directive might work too? Like what apache2 includes in default
> config for homedirs:
Unfortunately, TRACE cannot be restricted with <Limit> because of some
details of the HTTP protocol.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: {SPAM 02.7} [users@httpd] HTTP TRACE with Apache 1.3.29
Posted by Milan Andric <ma...@eecs.berkeley.edu>.
On Thu, Mar 18, 2004 at 09:49:31AM -0500, Joshua Slive wrote:
>
> On Thu, 18 Mar 2004, Thiago Anderson wrote:
> > i edit my httpd.conf and include the lines:
> >
> > RewriteEngine on
> > RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> > RewriteRule .* - [F]
> >
> > and
> > in virtual hosts i add this line too...
> >
> > but i scan the server with nessus i see the message again...
>
> 1. TRACE is not a real vulnerability. See the archives of this list or
> http://www.apacheweek.com/issues/03-01-24#news
> for example. So I wouldn't waster your time with this.
>
> 2. Don't trust your scanner. Try a manual TRACE request using telnet and
> see if it suceeds.
>
> Joshua.
Also, in case you do find TRACE a problem, I don't think rewrite is necessary.
The Limit directive might work too? Like what apache2 includes in default
config for homedirs:
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
--
Milan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org