httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] Re: Apache CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability
Date Fri, 20 Mar 2015 08:50:01 GMT
2015-03-20 1:15 GMT+01:00 吴昊 <wuhao@7500.com.cn>:

>  2 solutions
>
> as you’ve tried before RewriteCond & RewriteRule is one solution, another
> is limit & limitExcpet. and please note that even disabling the specific
> method(s) in  these directives will not remove that method from the
> Supported Methods line (allow) in an OPTIONS request.
>
>
>
>
>
> Tks & b.rgds
>
> --
>
> Chris
>
>
>
> *发件人:* surodip.patra@accenture.com [mailto:surodip.patra@accenture.com]
> *发送时间:* Thursday, March 19, 2015 8:44 PM
> *收件人:* users@httpd.apache.org
> *主题:* [users@httpd] Apache CONNECT Method Allowed in HTTP Server Or HTTP
> Proxy Server Vulnerability
>
>
>
> Hi Apache,
>
>
>
> I have the below vulnerability:
>
>
>
> CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability:
>
>
>
> *Tried solutions:*
>
>
>
> *a.      *Commented the connect module in httpd.conf file : *LoadModule
> proxy_connect_module modules/mod_proxy_connect.so*
>
>
>
> b.      Changed in httpd-ssl.conf file
>
>
>
> # Load Rewrite engine
>
> LoadModule  rewrite_module  path/to/apache/modules/mod_rewrite.so
>
>
>
> #Enable Rewrite engine
>
> RewriteEngine On
>
>
>
> # Disable TRACE, TRACK, CONNECT, OPTIONS RewriteCond %{REQUEST_METHOD}
> ^(TRACE|TRACK|CONNECT|OPTIONS) RewriteRule .* - [F]
>
>
>
> But no solutions worked. Can anyone help me to get rid of this
> vulnerability?
>
>
>
> Thanks & Regards,
>
> Surodip Patra
>
> +91-9739883456
>
>
>
>
>  ------------------------------
>
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>


Define
ProxyRequests Off

Remove any <Proxy *> directive


These ^^ and that module not loaded should be enough. You don't need
mod_rewrite at all. To disable TRACE you have a specific directive
"TraceEnable off"

CONNECT method is a means to make your server allow others to use it as a
proxy to connect to SSL sites.

If you have all these disabled and you are still being reported for the
same weakness then the check is giving a false positive or reporting about
some other server.

You can try yourself, configure your browser with your server:port as a
proxy. Try to connect to a ssl site then, if you can't, there is no CONNECT
method. You can also do it through command line with tools like "curl"

Regards

-- 
*Daniel Ferradal*
IT Specialist

email         dferradal@gmail.com
linkedin     es.linkedin.com/in/danielferradal

Mime
View raw message