Re: Disable TRACE HTTP method on Apache 1.3.33

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Steve Swift wrote:

Try this, then:
# Suppress the TRACE and TRACK methods to avoid cross-site scripting vulnerability 
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
On 13/02/07, *Yaniv Ofer* <Ofer.Yaniv@xxxxxxxxxxxx <mailto:Ofer.Yaniv@xxxxxxxxxxxx>> wrote: 


    Hi p

    It says here that the TRACE method cannot be limited.


my bad, apologies.
Steve is right above.



    -Ofer

    http://httpd.apache.org/docs/1.3/mod/core.html#limit
    ========================================================================

    ===========================================
    <Limit> directive
    Syntax: <Limit method [method] ... > ... </Limit>
    Context: any
    Status: core
    Access controls are normally effective for all access methods, and this
    is the usual desired behavior. In the general case, access control
    directives should not be placed within a <limit> section.

    The purpose of the <Limit> directive is to restrict the effect of the
    access controls to the nominated HTTP methods. For all other methods,
    the access restrictions that are enclosed in the <Limit> bracket will
    have no effect. The following example applies the access control
    only to
    the methods POST, PUT, and DELETE, leaving all other methods
    unprotected:

    <Limit POST PUT DELETE>
    Require valid-user
    </Limit>
    The method names listed can be one or more of: GET, POST, PUT, DELETE,
    CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
    and UNLOCK. The method name is case-sensitive. If GET is used it will
    also restrict HEAD requests. The TRACE method cannot be limited.

    Warning: A <LimitExcept> section should always be used in preference to
    a <Limit> section when restricting access, since a <LimitExcept> section
    provides protection against arbitrary methods.
    ========================================================================

    ===========================================


    -----Original Message-----
    From: Pid [mailto:p@xxxxxxxxxxx <mailto:p@xxxxxxxxxxx>]
    Sent: Tuesday, February 13, 2007 1:30 PM
    To: users@xxxxxxxxxxxxxxxx <mailto:users@xxxxxxxxxxxxxxxx>
    Subject: Re:  Disable TRACE HTTP method on Apache 1.3.33

    try this...


    http://httpd.apache.org/docs/1.3/mod/core.html#limit
    <http://httpd.apache.org/docs/1.3/mod/core.html#limit>

    <Limit TRACE>
    Deny from all
    </Limit>


    p


    Yaniv Ofer wrote:
     > Hello
     >
     > Our application is running over Apache 1.3.33.
     >
     > As a result of a failed security test, we have been asked to disable
     > the TRACE HTTP method on our Apache Server.
     >
     > Could you please refer me to a configuration/patch/fix that would
     > disable the TRACE HTTP method for Apache 1.3.33 Server?
     >
     > Our Server should refuse the following HTTP TRACE request:
     >
     > ==========================================================
     >
     > TRACE /inbox?Uid=379%2D100 HTTP/1.1
     >
     > Host: 172.17.129.61:50084 <http://172.17.129.61:50084>
     >
     > ==========================================================
     >
     > Our current server replies with 200 OK for that request.
     >
     > Thanks
     >
     >  Ofer
     >


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server
    Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx>
       "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
    <mailto:users-digest-unsubscribe@xxxxxxxxxxxxxxxx>
    For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    <mailto:users-help@xxxxxxxxxxxxxxxx>

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server
    Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx>
       "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
    <mailto:users-digest-unsubscribe@xxxxxxxxxxxxxxxx>
    For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    <mailto:users-help@xxxxxxxxxxxxxxxx>




--
Steve Swift
http://www.swiftys.org.uk



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux