httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Swapan Gupta" <swapan_gu...@infosys.com>
Subject Apache - TRACE vulnerability solution
Date Tue, 05 Sep 2006 14:33:14 GMT

Hi,

I am using Apache 2.0.54 and trying out the suggested solution for the
Http TRACE vulnerability as mentioned at
https://www.kb.cert.org/vuls/id/867593
using the mod_rewrite module and specifying the following lines in
.htaccess file.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

However, this does not seem to work.

When sending the request using the TRACE method I am getting the echo
response as before. However, if I change the method name in the above
lines to either GET or POST or TRACK or HEAD, and send the corresponding
request I am getting the expected 403 forbidden response.

Can TRACE requests not be forbidden by the above solution?
Do I need any additional configuration specifically for TRACE methods?

Thanks.
-Swapan



**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of
the addressee(s). If you are not the intended recipient, please notify the sender by e-mail
and delete the original message. Further, you are not to copy, disclose, or distribute this
e-mail or its contents to any other person and any such actions are unlawful. This e-mail
may contain viruses. Infosys has taken every reasonable precaution to minimize this risk,
but is not liable for any damage you may sustain as a result of any virus in this e-mail.
You should carry out your own virus checks before opening the e-mail or attachment. Infosys
reserves the right to monitor and review the content of all messages sent to or from this
e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys
e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
Mime
View raw message