Hi p It says here that the TRACE method cannot be limited. -Ofer http://httpd.apache.org/docs/1.3/mod/core.html#limit ======================================================================== =========================================== <Limit> directive Syntax: <Limit method [method] ... > ... </Limit> Context: any Status: core Access controls are normally effective for all access methods, and this is the usual desired behavior. In the general case, access control directives should not be placed within a <limit> section. The purpose of the <Limit> directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the <Limit> bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected: <Limit POST PUT DELETE> Require valid-user </Limit> The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited. Warning: A <LimitExcept> section should always be used in preference to a <Limit> section when restricting access, since a <LimitExcept> section provides protection against arbitrary methods. ======================================================================== =========================================== -----Original Message----- From: Pid [mailto:p@xxxxxxxxxxx] Sent: Tuesday, February 13, 2007 1:30 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit <Limit TRACE> Deny from all </Limit> p Yaniv Ofer wrote: > Hello > > Our application is running over Apache 1.3.33. > > As a result of a failed security test, we have been asked to disable > the TRACE HTTP method on our Apache Server. > > Could you please refer me to a configuration/patch/fix that would > disable the TRACE HTTP method for Apache 1.3.33 Server? > > Our Server should refuse the following HTTP TRACE request: > > ========================================================== > > TRACE /inbox?Uid=379%2D100 HTTP/1.1 > > Host: 172.17.129.61:50084 > > ========================================================== > > Our current server replies with 200 OK for that request. > > Thanks > > Ofer > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|