RE: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Hi, I think you should manage to do this by using RewriteCond directive and REQUEST_METHOD environment variable (http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond). You should be able to build a test that says if http method is TRACE, then... Then forbid Next line should then be a RewriteRule that makes the request forbidden. It *should* look like that (I haven't tested): RewriteCond %{REQUEST_METHOD} ^TRACE$ RewriteRule .* [F] Hope that'll help (please tell us). Olivier Olivier CHIROUZE I0 Infrastructure Volvo Information Technology From: Yaniv Ofer [mailto:[EMAIL PROTECTED] Sent: 13 February 2007 12:01 To: users@httpd.apache.org Subject: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Thanks!!! -Original Message- From: Pid [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:30 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Hi p It says here that the TRACE method cannot be limited. -Ofer http://httpd.apache.org/docs/1.3/mod/core.html#limit === Limit directive Syntax: Limit method [method] ... ... /Limit Context: any Status: core Access controls are normally effective for all access methods, and this is the usual desired behavior. In the general case, access control directives should not be placed within a limit section. The purpose of the Limit directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the Limit bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected: Limit POST PUT DELETE Require valid-user /Limit The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited. Warning: A LimitExcept section should always be used in preference to a Limit section when restricting access, since a LimitExcept section provides protection against arbitrary methods. === -Original Message- From: Pid [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:30 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Try this, then: # Suppress the TRACE and TRACK methods to avoid cross-site scripting vulnerability IfModule mod_rewrite.c RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] /IfModule On 13/02/07, Yaniv Ofer [EMAIL PROTECTED] wrote: Hi p It says here that the TRACE method cannot be limited. -Ofer http://httpd.apache.org/docs/1.3/mod/core.html#limit === Limit directive Syntax: Limit method [method] ... ... /Limit Context: any Status: core Access controls are normally effective for all access methods, and this is the usual desired behavior. In the general case, access control directives should not be placed within a limit section. The purpose of the Limit directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the Limit bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected: Limit POST PUT DELETE Require valid-user /Limit The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited. Warning: A LimitExcept section should always be used in preference to a Limit section when restricting access, since a LimitExcept section provides protection against arbitrary methods. === -Original Message- From: Pid [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:30 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Steve Swift http://www.swiftys.org.uk
Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Steve Swift wrote: Try this, then: # Suppress the TRACE and TRACK methods to avoid cross-site scripting vulnerability IfModule mod_rewrite.c RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] /IfModule On 13/02/07, *Yaniv Ofer* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi p It says here that the TRACE method cannot be limited. my bad, apologies. Steve is right above. -Ofer http://httpd.apache.org/docs/1.3/mod/core.html#limit === Limit directive Syntax: Limit method [method] ... ... /Limit Context: any Status: core Access controls are normally effective for all access methods, and this is the usual desired behavior. In the general case, access control directives should not be placed within a limit section. The purpose of the Limit directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the Limit bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected: Limit POST PUT DELETE Require valid-user /Limit The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited. Warning: A LimitExcept section should always be used in preference to a Limit section when restricting access, since a LimitExcept section provides protection against arbitrary methods. === -Original Message- From: Pid [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 13, 2007 1:30 PM To: users@httpd.apache.org mailto:users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 http://172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Steve Swift http://www.swiftys.org.uk - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]