Print

 

Plugin Name: HTTP TRACE / TRACK Methods Allowed

 

To turn off track and trace methods globally on the server add the following line:

vim /etc/httpd/conf/httpd.conf
TraceEnable Off

 

To turn off track and trace methods for individual virtual hosts add the follwowing to the vhost config:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

 

 

Check the apache config:
/usr/sbin/apachectl -t
Syntax OK

 

 

Restart apache:

/etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

 

 

 

Further apache information http://httpd.apache.org/docs/2.2/mod/core.html#traceenable

 

 

 

 

Nessus Output: 

 

Synopsis
Debugging functions are enabled on the remote web server.

Description
The remote webserver supports the TRACE and/or TRACK methods.  TRACE
and TRACK are HTTP methods that are used to debug web server
connections.

Solution
Disable these methods.  Refer to the plugin output for more information.

See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1
 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS

Plugin Output
To disable these methods, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1414923557.html HTTP/1.1
Connection: Close
Host: ip.add.re.ss

Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.0 200 OK
Date: Fri, 30 Apr 2010 19:51:12 GMT
Server: Apache
Connection: close
Content-Type: message/http


TRACE /Nessus1414923557.html HTTP/1.1
Connection: Close
Host: ip.add.re.ssPragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

CVE
CVE-2003-1567
CVE-2004-2320
CVE-2010-0386

BID
9506
9561
11604
33374
37995

Xref
OSVDB:877
OSVDB:3726
OSVDB:5648
OSVDB:50485