httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] TRACE feature
Date Thu, 28 Aug 2003 17:21:35 GMT
Interesting article.  My Apache server (2.0.47) didn't seem to understand
the TRACE request (replied with 400 Bad Request), but I don't know if I
tested for TRACE properly.  What would be nice to have is a little network
scanning script (Perl) to determine if TRACE is enabled.  Once able to
determine the status, then a method to go about disabling TRACE is needed,
be it a patch, a configure option, or the like.

It never ceases to amaze me how all the big-brained people who generate RFCs
are so naive that they tend to overlook basic security issues, as evidenced
once again with the "TRACE" feature of the HTTP 1.1 protocol. .

Leif

----- Original Message ----- 
From: "slipmode" <slipmode@qwest.net>
To: <users@httpd.apache.org>
Sent: Thursday, August 28, 2003 12:39 PM
Subject: [users@httpd] TRACE feature


> Hello
>
> I read this paper describing the vulnerabilities of running TRACE on
> apache. http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
> It does not mention the exact method of disabling TRACE from apache. It
> mentions a modification to the source code which I cannot find.
>
> Is there a specific need to run TRACE on production servers and how can
> it be removed? It seems most distros use TRACE by default. RedHat,
> Slackware and Gentoo I know use it. Is there any not running it? This
> article implies that there is.
> -- 
> slipmode <slipmode@qwest.net>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message