httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Bakshi" <joyd...@infoservices.in>
Subject [users@httpd] <LimitExcept GET POST> not working
Date Sat, 02 Jan 2010 14:54:59 GMT
Dear list,

I have tested my webserver ( opensuse 11; apache2-2.2.8-28.4) through nikto. I have found

` ` `
+ Server: Apache
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.9
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
for details
+ OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially
sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 4347 items checked: 5 item(s) reported on remote host
+ End Time:        2010-01-03 17:56:35 (2228 seconds)

` ` `

To block TRACE I have added the following in httpd.conf folder


` ` `
<Directory /srv/www/htdocs/>

# Prevents TRACE from allowing attackers to find a
# path through cache or proxy servers.
<LimitExcept GET POST>
deny from all
</LimitExcept>
</Directory>

` ` `

After restarting the apache; nikto still able to find TRACE. I have a no. of VHOSTS, hence
rather than .htaccess I like to add it in httpd.conf What am I missing here ? How can I prevent
the other info also like php header, then icons/ folder etc.. ?  I will be grateful if any
one kindly suggest me .

Thanks


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message