Plugin Name: HTTP TRACE / TRACK Methods Allowed

 

To turn off track and trace methods globally on the server add the following line:

vim /etc/httpd/conf/httpd.conf
TraceEnable Off

 

To turn off track and trace methods for individual virtual hosts add the follwowing to the vhost config:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

 

 

Check the apache config:
/usr/sbin/apachectl -t
Syntax OK

 

 

Restart apache:

/etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

 

 

 

Further apache information http://httpd.apache.org/docs/2.2/mod/core.html#traceenable

 

 

 

 

Nessus Output: 

 

Synopsis
Debugging functions are enabled on the remote web server.

Description
The remote webserver supports the TRACE and/or TRACK methods.  TRACE
and TRACK are HTTP methods that are used to debug web server
connections.

Solution
Disable these methods.  Refer to the plugin output for more information.

See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1
 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS

Plugin Output
To disable these methods, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1414923557.html HTTP/1.1
Connection: Close
Host: ip.add.re.ss

Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.0 200 OK
Date: Fri, 30 Apr 2010 19:51:12 GMT
Server: Apache
Connection: close
Content-Type: message/http


TRACE /Nessus1414923557.html HTTP/1.1
Connection: Close
Host: ip.add.re.ssPragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

CVE
CVE-2003-1567
CVE-2004-2320
CVE-2010-0386

BID
9506
9561
11604
33374
37995

Xref
OSVDB:877
OSVDB:3726
OSVDB:5648
OSVDB:50485

 

 

 

 

 

 

 

 

Share this blog post on social media:

Social Links

Disclaimer

All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

Copyright ©2016 Andy Barnes - Please do not copy any content including images without prior consent!

Designed and Hosted by Andy Barnes