httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yaniv Ofer" <Ofer.Ya...@comverse.com>
Subject RE: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33
Date Tue, 13 Feb 2007 11:35:57 GMT

Hi p

It says here that the TRACE method cannot be limited.

-Ofer

http://httpd.apache.org/docs/1.3/mod/core.html#limit
========================================================================
===========================================
<Limit> directive
Syntax: <Limit method [method] ... > ... </Limit>
Context: any
Status: core 
Access controls are normally effective for all access methods, and this
is the usual desired behavior. In the general case, access control
directives should not be placed within a <limit> section.

The purpose of the <Limit> directive is to restrict the effect of the
access controls to the nominated HTTP methods. For all other methods,
the access restrictions that are enclosed in the <Limit> bracket will
have no effect. The following example applies the access control only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:

<Limit POST PUT DELETE>
Require valid-user
</Limit> 
The method names listed can be one or more of: GET, POST, PUT, DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it will
also restrict HEAD requests. The TRACE method cannot be limited.

Warning: A <LimitExcept> section should always be used in preference to
a <Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
========================================================================
===========================================
 

-----Original Message-----
From: Pid [mailto:p@pidster.com] 
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Disable TRACE HTTP method on Apache 1.3.33

try this...


http://httpd.apache.org/docs/1.3/mod/core.html#limit

<Limit TRACE>
Deny from all
</Limit>


p


Yaniv Ofer wrote:
> Hello
> 
> Our application is running over Apache 1.3.33.
> 
> As a result of a failed security test, we have been asked to disable 
> the TRACE HTTP method on our Apache Server.
> 
> Could you please refer me to a configuration/patch/fix that would 
> disable the TRACE HTTP method for Apache 1.3.33 Server?
> 
> Our Server should refuse the following HTTP TRACE request:
> 
> ==========================================================
> 
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
> 
> Host: 172.17.129.61:50084
> 
> ==========================================================
> 
> Our current server replies with 200 OK for that request.
> 
> Thanks
> 
>  Ofer
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message