httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Cossette <>
Subject Re: [users@httpd] Disabling HTTP methods
Date Wed, 27 Oct 2004 21:00:45 GMT

> >  I put the following in httpd.conf of my web server to restrict some
> > dangerous methods:
> >
> >  <IfModule mod_rewrite.c>
> >     RewriteEngine On
> >     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
> >     RewriteRule .* - [F]
> >  </IfModule>
>Some problems that lead me to believe that this config snippet was
>written by someone who doesn't really know apache:
>1. The <IfModule> lines are stupid.  Do you want these directives to
>work or don't you?  If you do, they shouldn't be in <IfModule>.
>2. Apache does not handle any method named TRACK, so including that is
>completely irrelevant.

Got those lines directly from a vulnerability scanner results, and I was 
wondering about the existence of TRACK; I left it there in case it really 

>3. TRACE is not a real vulnerability anyway.  See, for example,

Thanks for clarifying that.



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message