httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Swapan Gupta" <>
Subject [users@httpd] Apache - TRACE vulnerability solution
Date Wed, 06 Sep 2006 08:27:45 GMT


I am using Apache 2.0.54 and trying out the suggested solution for the
Http TRACE vulnerability as mentioned at
using the mod_rewrite module and specifying the following lines in
.htaccess file.
RewriteEngine On
RewriteRule .* - [F]

However, this does not seem to work.

When sending the request using the TRACE method I am getting the echo
response as before. However, if I change the method name in the above
lines to either GET or POST or TRACK or HEAD, and send the corresponding
request I am getting the expected 403 forbidden response.

Can TRACE requests not be forbidden by the above solution?
Do I need any additional configuration specifically for TRACE methods?


**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of
the addressee(s). If you are not the intended recipient, please notify the sender by e-mail
and delete the original message. Further, you are not to copy, disclose, or distribute this
e-mail or its contents to any other person and any such actions are unlawful. This e-mail
may contain viruses. Infosys has taken every reasonable precaution to minimize this risk,
but is not liable for any damage you may sustain as a result of any virus in this e-mail.
You should carry out your own virus checks before opening the e-mail or attachment. Infosys
reserves the right to monitor and review the content of all messages sent to or from this
e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys
e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
View raw message