Return-Path: 
 <users-return-31694-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 7685 invoked from network); 28 Aug 2003 16:52:22 -0000
Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 28 Aug 2003 16:52:22 -0000
Received: (qmail 19807 invoked by uid 500); 28 Aug 2003 16:45:56 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 19712 invoked by uid 500); 28 Aug 2003 16:45:55 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 19509 invoked from network); 28 Aug 2003 16:45:51 -0000
Received: from unknown (HELO mpls-qmqp-03.inet.qwest.net) (63.231.195.114)
  by daedalus.apache.org with SMTP; 28 Aug 2003 16:45:51 -0000
Received: (qmail 32575 invoked by uid 0); 28 Aug 2003 16:28:33 -0000
Received: from mpls-pop-11.inet.qwest.net (63.231.195.11)
  by mpls-qmqp-03.inet.qwest.net with QMQP; 28 Aug 2003 16:28:33 -0000
Received: from unknown (HELO ?63.230.219.225?) (63.230.219.225)
  by mpls-pop-11.inet.qwest.net with SMTP; 28 Aug 2003 16:39:03 -0000
Date: 28 Aug 2003 09:39:00 -0700
Message-Id: <1062088739.14249.7.camel@lan1.slipnet.org>
From: "slipmode" <slipmode@qwest.net>
To: users@httpd.apache.org
Content-Type: text/plain
Organization: 
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) 
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: [users@httpd] TRACE feature
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Hello

I read this paper describing the vulnerabilities of running TRACE on
apache. http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
It does not mention the exact method of disabling TRACE from apache. It
mentions a modification to the source code which I cannot find.

Is there a specific need to run TRACE on production servers and how can
it be removed? It seems most distros use TRACE by default. RedHat,
Slackware and Gentoo I know use it. Is there any not running it? This
article implies that there is.
-- 
slipmode <slipmode@qwest.net>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org