httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] TRACE/TRACK problem
Date Thu, 05 Aug 2004 13:51:01 GMT
On Thu, 05 Aug 2004 10:08:50 -0300, Mauricio Cavalcanti
<mauriciopcavalcanti@hotmail.com> wrote:
> Hi,
> i run nessus and it found a vulnerability called "http TRACE XSS attack" in
> https (443/tcp).
> 
> Nessus solution is "Disable this methods" and to do it, nessus says:
> 
> "If you are using Apache, add the following lines for each virtual
> host in your configuration file :
> 
>     RewriteEngine on
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]"
> 
> and see:
> http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
> http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
> http://www.kb.cert.org/vuls/id/867593
> 
> I have read many discussions about this "vulnerability".
> 
> I have changed my httpd.conf and run nessus again. The "vulnerability"
> stills there.
> 
> I have sent an e-mail to nessus group and i receive this:
> 
> "Apache has changed options multiple times over time to handle the
> TRACE request, which is why I suggested you consult an Apache group to
> know what to do and see what works the best with your version of Apache."

1. You are wasting your time, since this alleged TRACE vulnerability
is at most a browser bug, not a server issue.  See:
http://www.apacheweek.com/issues/03-01-24#news
and the archives of this list for more details.

2. Nessus is full-of-it.  There has been no change in Apache TRACE
handling in recent memory.  They are just trying to pass the buck. 
Plus the fact that they include "TRACK", which apache doesn't support,
also shows they are quite lost.

3. If you still want to disable TRACE, you should test it manually by
making a TRACE request to your server (using, for example, telnet
localhost 80), rather than relying on Nessus.

4. To debug mod_rewrite problems, you need to use the RewriteLog at a
sufficiently high RewriteLogLevel.  Most likely, what you will find is
that those rules aren't being applied at all because you have them in
the wrong part of the config file or you are not restarting the server
or something like that.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message