Hi p
It says here that the TRACE method cannot be limited.
-Ofer
http://httpd.apache.org/docs/1.3/mod/core.html#limit
========================================================================
===========================================
<Limit> directive
Syntax: <Limit method [method] ... > ... </Limit>
Context: any
Status: core
Access controls are normally effective for all access methods, and this
is the usual desired behavior. In the general case, access control
directives should not be placed within a <limit> section.
The purpose of the <Limit> directive is to restrict the effect of the
access controls to the nominated HTTP methods. For all other methods,
the access restrictions that are enclosed in the <Limit> bracket will
have no effect. The following example applies the access control only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:
<Limit POST PUT DELETE>
Require valid-user
</Limit>
The method names listed can be one or more of: GET, POST, PUT, DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it will
also restrict HEAD requests. The TRACE method cannot be limited.
Warning: A <LimitExcept> section should always be used in preference to
a <Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
========================================================================
===========================================
-----Original Message-----
From: Pid [mailto:p@xxxxxxxxxxx]
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Disable TRACE HTTP method on Apache 1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
<Limit TRACE>
Deny from all
</Limit>
p
Yaniv Ofer wrote:
> Hello
>
> Our application is running over Apache 1.3.33.
>
> As a result of a failed security test, we have been asked to disable
> the TRACE HTTP method on our Apache Server.
>
> Could you please refer me to a configuration/patch/fix that would
> disable the TRACE HTTP method for Apache 1.3.33 Server?
>
> Our Server should refuse the following HTTP TRACE request:
>
> ==========================================================
>
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
>
> Host: 172.17.129.61:50084
>
> ==========================================================
>
> Our current server replies with 200 OK for that request.
>
> Thanks
>
> Ofer
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|