Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 90776 invoked by uid 500); 4 Jun 2003 13:57:53 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 90763 invoked from network); 4 Jun 2003 13:57:53 -0000 Received: from ny2.fastmail.fm (HELO smtp.us2.messagingengine.com) (66.111.4.3) by daedalus.apache.org with SMTP; 4 Jun 2003 13:57:53 -0000 Received: from www.fastmail.fm (server1.internal [10.202.2.132]) by server2.messagingengine.com (Postfix) with ESMTP id 0360B62860 for ; Wed, 4 Jun 2003 09:57:53 -0400 (EDT) Received: from 127.0.0.1 ([127.0.0.1] helo=www.fastmail.fm) by messagingengine.com with SMTP; Wed, 04 Jun 2003 09:57:53 -0400 X-Epoch: 1054735073 X-Sasl-enc: Mk/nDwrA7nzotNe2beqc7w Received: from usager70-65.hec.ca (usager70-65.hec.ca [132.211.70.65]) by www.fastmail.fm (Postfix) with ESMTP id 43E6D1601C for ; Wed, 4 Jun 2003 09:57:53 -0400 (EDT) Date: Wed, 4 Jun 2003 09:57:39 -0400 (=?ISO-8859-1?Q?Est_=28heure_d'=E9t=E9=29?=) From: Joshua Slive To: users@httpd.apache.org In-Reply-To: <0F2CF5B49C85C049AAFD525C7003AED7038CF103@exchange.koc.net> Message-ID: References: <0F2CF5B49C85C049AAFD525C7003AED7038CF103@exchange.koc.net> X-X-Sender: slive@www.fastmail.fm MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Apache Security On Wed, 4 Jun 2003 BurcinO@koc.net wrote: > Hello, > > I want to ask something about Apache security, > > When we scan apache webservers with ISS, we found Http_Trace Vulnerability. Details was given in http://www.kb.cert.org/vuls/id/867593 address, > When I apply that solution for this vulnerability, it worked for 2 systems. But it didn't work other servers with the same configuration. > > Any suggestion regarding with this problem ? This is not a real vulnerability. Read the extended bugtraq discussion on HTTP TRACE from a while back for the details. So I would just ignore it. If you really want to restrict TRACE, then you'll need to give us more details on exactly what you tried and how you know it isn't working. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org