httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: TRACE still enabled by default
Date Wed, 21 Mar 2012 13:48:16 GMT

Am 21.03.2012 14:41, schrieb Noel Butler:
> On Wed, 2012-03-21 at 13:55 +0100, Reindl Harald wrote:
> Firstly, as stated previously, I agree TRACE should be disabled by default because those
that need it are probably
> at about 1 in 10000, and I'd like to see a proper vote called on it :)  however...
>> fact is that nessus-scans usually complaining about TRACE on
> Nessus, despite I do like it, and as it is a respected industry standard, has its fair
share of false positives,
> for simple example, look at FTP, running a public FTP server you get a severity "medium"
warning, I mean like.. 
> WTF... if anything, it should be an "info" , which brings me to their LOW ratings, they
need to introduce an INFO
> level, because 95% of "low" are not issues at all.

this is a different story
openVAS has a info-level and i guess Nessus too because openVAS is a fork

that services are treated as medium is fine because if
nessus finds a service and you do not know that it is
running -> problem, it is the job of the auditor flag
the port as "info, OK"

but he will NOT do this if it is a simple config-option
disable TRACE and the application does not need it

so the defaults has to be sane
nothing more to say -> not my problem, i have disabled it

View raw message