Home Linux Red Hat Enterprise Server and CentOS
Apache - Disable HTTP TRACE / TRACK Methods Print E-mail

 

Plugin Name: HTTP TRACE / TRACK Methods Allowed

 

To turn off track and trace methods globally on the server add the following line:

vim /etc/httpd/conf/httpd.conf
TraceEnabled Off

 

To turn off track and trace methods for individual virtual hosts add the follwowing to the vhost config:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

 

 

Check the apache config:
/usr/sbin/apachectl -t
Syntax OK

 

 

Restart apache:

/etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

 

 

 

Further apache information http://httpd.apache.org/docs/2.2/mod/core.html#traceenable

 

 

 

 

Nessus Output: 

 

Synopsis
Debugging functions are enabled on the remote web server.

Description
The remote webserver supports the TRACE and/or TRACK methods.  TRACE
and TRACK are HTTP methods that are used to debug web server
connections.

Solution
Disable these methods.  Refer to the plugin output for more information.

See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1
 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS

Plugin Output
To disable these methods, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1414923557.html HTTP/1.1
Connection: Close
Host: ip.add.re.ss

Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.0 200 OK
Date: Fri, 30 Apr 2010 19:51:12 GMT
Server: Apache
Connection: close
Content-Type: message/http


TRACE /Nessus1414923557.html HTTP/1.1
Connection: Close
Host: ip.add.re.ssPragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

CVE
CVE-2003-1567
CVE-2004-2320
CVE-2010-0386

BID
9506
9561
11604
33374
37995

Xref
OSVDB:877
OSVDB:3726
OSVDB:5648
OSVDB:50485

 

 

 

 

 

 

 

 

Next >
 

        
            

      

 

DISCLAIMER: All advice, tips, guides and other information on this website is provided as-is with no warranty or guarantee. While most information is correct to the best of my knowledge, I am not reponsible for any issues that may arise in using the information, and you do so at your own risk. As always before doing anything; check, double check, test and always make a backup.

 

Popular

Help VMadmin

All resources on this site are provided absolutley free. However it takes time and money to keep the site running. If any information has been helpful to you or your company, and you wish to make a donation to help keep VMadmin.co.uk running you can do so via paypal, and it would be much appreciated.

Click to donate to VMadmin.co.uk via paypal.