httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] TRACE feature
Date Thu, 28 Aug 2003 17:34:03 GMT



On Thu, 28 Aug 2003, slipmode wrote:

> Hello
>
> I read this paper describing the vulnerabilities of running TRACE on
> apache. http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
> It does not mention the exact method of disabling TRACE from apache. It
> mentions a modification to the source code which I cannot find.
>
> Is there a specific need to run TRACE on production servers and how can
> it be removed? It seems most distros use TRACE by default. RedHat,
> Slackware and Gentoo I know use it. Is there any not running it? This
> article implies that there is.

Don't believe everything you read.

Disabling TRACE will do practically nothing to secure your server.  There
was an extensive discussion on Bugtraq related to this.  See, for example:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-01/0233.html
And see the discussion in apacheweek:
http://www.apacheweek.com/issues/03-01-24#news

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message