Hi,
I am using Apache 2.0.54 and trying out the suggested solution for the Http TRACE vulnerability as mentioned at https://www.kb.cert.org/vuls/id/867593
using the mod_rewrite module and specifying the following lines in .htaccess file.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
However, this does not seem to work.
When sending the request using the TRACE method I am getting the echo response as before. However, if I change the method name in the above lines to either GET or POST or TRACK or HEAD, and send the corresponding request I am getting the expected 403 forbidden response.
Can TRACE requests not be forbidden by the above solution?
Do I need any additional configuration specifically for TRACE methods?
Thanks.
-Swapan
**************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS*** |