interpreting Nessus scan results | TRACE & TRACK?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings --
Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks (or, at least the ones I'm familiar with) in place. Had our network types run a Nessus scan against the host - all fine, except for the following, which I'm having trouble interpreting (and hoping for some 'interpretative guidance' here). It suggests using a rewrite to handle the issue (something I've never done). I'm also not entirely sure of what TRACE and TRACK do?
Thanks in advance -- semi-newbie, so flame throwers to 'singe only' please. ;-) 

Basically, the scan found the following 'moderate risk' issue:

Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1

Solution :

Disable these methods. Refer to the plugin output for more information.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.9
(CVSS2#E:F/RL:W/RC:C)
Public Exploit Available : true


Plugin output :

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux