Hi,
I think you should manage to do this by using RewriteCond directive and
REQUEST_METHOD environment variable
(http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond). You
should be able to build a test that says "if http method is TRACE,
then... Then forbid"
Next line should then be a RewriteRule that makes the request forbidden.
It *should* look like that (I haven't tested):
RewriteCond %{REQUEST_METHOD} ^TRACE$
RewriteRule .* [F]
Hope that'll help (please tell us).
Olivier
Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
________________________________
From: Yaniv Ofer [mailto:Ofer.Yaniv@xxxxxxxxxxxx]
Sent: 13 February 2007 12:01
To: users@xxxxxxxxxxxxxxxx
Subject: Disable TRACE HTTP method on Apache
1.3.33
Hello
Our application is running over Apache 1.3.33.
As a result of a failed security test, we have been asked to
disable the TRACE HTTP method on our Apache Server.
Could you please refer me to a configuration/patch/fix that
would disable the TRACE HTTP method for Apache 1.3.33 Server?
Our Server should refuse the following HTTP TRACE request:
==========================================================
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
==========================================================
Our current server replies with 200 OK for that request.
Thanks
Ofer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|