httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Cossette <pcosse...@aei.ca>
Subject Re: [users@httpd] Disabling HTTP methods
Date Wed, 27 Oct 2004 21:00:45 GMT

> >  I put the following in httpd.conf of my web server to restrict some
> > dangerous methods:
> >
> >  <IfModule mod_rewrite.c>
> >     RewriteEngine On
> >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> >     RewriteRule .* - [F]
> >  </IfModule>
>
>Some problems that lead me to believe that this config snippet was
>written by someone who doesn't really know apache:
>
>1. The <IfModule> lines are stupid.  Do you want these directives to
>work or don't you?  If you do, they shouldn't be in <IfModule>.
>
>2. Apache does not handle any method named TRACK, so including that is
>completely irrelevant.

Got those lines directly from a vulnerability scanner results, and I was 
wondering about the existence of TRACK; I left it there in case it really 
exists.

>3. TRACE is not a real vulnerability anyway.  See, for example,
>http://www.apacheweek.com/issues/03-01-24#news

Thanks for clarifying that.


>Joshua.

Patrick 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message