httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thiago Anderson" <s3r...@hotmail.com>
Subject RE: [users@httpd] Hello, not aswer to me!! I NEED HELP URGENT
Date Fri, 19 Mar 2004 11:34:39 GMT
sorry but, i dont receive any awsner... =) meibe hotmail made a bobobo i 
dont no...

=)
thz


>From: "Boyle Owen" <Owen.Boyle@swx.com>
>Reply-To: users@httpd.apache.org
>To: <users@httpd.apache.org>
>Subject: RE: [users@httpd] Hello, not aswer to me!! I NEED HELP URGENT 
>Date: Fri, 19 Mar 2004 09:58:55 +0100
>
> > -----Original Message-----
> > From: Thiago Anderson [mailto:s3ri4l@hotmail.com]
> > Sent: Donnerstag, 18. März 2004 20:28
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Hello, not aswer to me!! I NEED HELP URGENT
> >
> >
> > Hello Peoples,
> > i think about this list, and i post problems, and every posts
> > i not view the
> > aswers...
> > im a problem?
>
>Do you not read the other posts on the list?
>
>This exact question came up a few days ago and was answered thoroughly:
>http://marc.theaimsgroup.com/?l=apache-httpd-users&m=107962158505422&w=2
>
>To summarise: There is NO PROBLEM with your apache installation. It is
>only "nessus scan" which thinks it has found a problem. TRACE is *not* a
>real vulnerability. Also, have you confirmed that apache is *really*
>responding to the TRACE request?
>
>Rgds,
>Owen Boyle
>Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
> >
> > and now i post my problem:
> >
> > i compile my apache + mod_perl + mod_ssl + php
> > with follow commands:
> >
> > groupadd apache
> > useradd apache -c "Apache Server" -d /dev/null -g apache -s
> > /sbin/nologin
> >
> >
> > tar zxpvf apache_1.3.29.tar.gz
> > tar zxpvf mod_fastcgi-2.4.2.tar.gz
> > tar zxpvf mod_ssl-2.8.16-1.3.29.tar.gz
> > tar zxpvf php-4.3.4.tar.gz
> > tar zxpvf mod_perl-1.0-current.tar.gz
> >
> > echo "Instalando mod_ssl"
> >
> > cd mod_ssl-2.8.16-1.3.29
> > ./configure --with-apache=../apache_1.3.29
> > --with-crt=/etc/apache/ssl.crt/server.crt
> > --with-key=/etc/apache/ssl.key/server.key
> > make
> > make instal
> >
> > echo "Instalando PHP"
> >
> > cd php-4.3.4
> > ./configure --prefix=/usr --disable-static --sysconfdir=/etc
> > --enable-discard-path --with-config-file-path=/etc/apache
> > --enable-safe-mode
> > --with-openssl --enable-bcmath --with-bz2 --with-pic
> > --enable-calendar
> > --enable-ctype --with-gdbm --with-db3 --enable-ftp
> > --with-iconv --with-gd
> > --enable-gd-native-ttf --with-jpeg-dir=/usr --with-png --with-gmp
> > --with-mysql --with-xml --with-gettext=shared/usr --with-mm=/usr
> > --enable-trans-sid --enable-shmop --enable-sockets --with-regex=php
> > --enable-sysvsem --enable-sysvshm --enable-yp --enable-memory-limit
> > --with-tsrm-pthreads --enable-shared --disable-debug --with-zlib=/usr
> > --with-apache=../apache_1.3.29
> > make
> > make install
> >
> > echo "Instalando APACHE + mod_perl"
> >
> > cd mod_perl-1.29
> > perl Makefile.PL APACHE_SRC=../apache_1.3.29/src DO_HTTPD=1
> > USE_APACI=1EVERYTHING=1 APACI_ARGS='--prefix=/usr/local/apache
> > --disable-module=all --server-uid=apache --server-gid=apache
> > --enable-module=access --enable-module=log_config --enable-module=dir
> > --enable-module=mime --enable-module=auth
> > --activate-module=src/modules/fastcgi/libfastcgi.a
> > --activate-module=src/modules/php4/libphp4.a'
> > make
> > make test
> > make install
> > chown -R root:sys /usr/local/apache
> >
> > and i run the nessus scan to view vulnerabilities and i
> > follow this error in
> > apache:
> >
> >
> >
> > Your webserver supports the TRACE and/or TRACK methods. TRACE
> > and TRACK
> > are HTTP methods which are used to debug web server connections.
> >
> > It has been shown that servers supporting this method are subject
> > to cross-site-scripting attacks, dubbed XST for
> > "Cross-Site-Tracing", when used in conjunction with
> > various weaknesses in browsers.
> >
> > An attacker may use this flaw to trick your
> > legitimate web users to give him their
> > credentials.
> >
> > Solution: Disable these methods.
> >
> >
> > If you are using Apache, add the following lines for each virtual
> > host in your configuration file :
> >
> >     RewriteEngine on
> >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> >     RewriteRule .* - [F]
> >
> > If you are using Microsoft IIS, use the URLScan tool to deny
> > HTTP TRACE
> > requests or to permit only the methods needed to meet site
> > requirements
> > and policy.
> >
> > If you are using Sun ONE Web Server releases 6.0 SP2 and
> > later, add the
> > following to the default object section in obj.conf:
> >     <Client method="TRACE">
> >      AuthTrans fn="set-variable"
> >      remove-headers="transfer-encoding"
> >      set-headers="content-length: -1"
> >      error="501"
> >     </Client>
> >
> > If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
> > the NSAPI plugin located at:
> >    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
> >
> >
> > See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
> >     http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
> >     http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
> >     http://www.kb.cert.org/vuls/id/867593
> >
> > Risk factor : Medium
> >
> >
> >
> >
> > I need help i do stop this, my procediments is:
> > add lines:
> >
> > RewriteEngine on
> >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> >     RewriteRule .* - [F]
> >
> > and i
> >
> > add in my configure with any vhost this lines...
> >
> > i need help.... =)
> >
> > _________________________________________________________________
> > MSN Messenger: instale grátis e converse com seus amigos.
> > http://messenger.msn.com.br
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
>e-mail is of a private and personal nature. It is not related to the
>exchange or business activities of the SWX Group. Le présent e-mail est
>un message privé et personnel, sans rapport avec l'activité boursière du
>Groupe SWX.
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company.
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>

_________________________________________________________________
MSN Messenger: instale grátis e converse com seus amigos. 
http://messenger.msn.com.br


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message