RE: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Hi,
I think you should manage to do this by using RewriteCond directive and
REQUEST_METHOD environment variable
(http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond). You
should be able to build a test that says if http method is TRACE,
then... Then forbid
Next line should then be a RewriteRule that makes the request forbidden.
It *should* look like that (I haven't tested):
RewriteCond %{REQUEST_METHOD} ^TRACE$
RewriteRule .* [F]
Hope that'll help (please tell us).
Olivier
Olivier CHIROUZE
I0 Infrastructure
Volvo Information Technology
From: Yaniv Ofer [mailto:[EMAIL PROTECTED]
Sent: 13 February 2007 12:01
To: users@httpd.apache.org
Subject: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache
1.3.33
Hello
Our application is running over Apache 1.3.33.
As a result of a failed security test, we have been asked to
disable the TRACE HTTP method on our Apache Server.
Could you please refer me to a configuration/patch/fix that
would disable the TRACE HTTP method for Apache 1.3.33 Server?
Our Server should refuse the following HTTP TRACE request:
==
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
==
Our current server replies with 200 OK for that request.
Thanks
Ofer
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Thanks!!! -Original Message- From: Pid [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:30 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Hi p It says here that the TRACE method cannot be limited. -Ofer http://httpd.apache.org/docs/1.3/mod/core.html#limit === Limit directive Syntax: Limit method [method] ... ... /Limit Context: any Status: core Access controls are normally effective for all access methods, and this is the usual desired behavior. In the general case, access control directives should not be placed within a limit section. The purpose of the Limit directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the Limit bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected: Limit POST PUT DELETE Require valid-user /Limit The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited. Warning: A LimitExcept section should always be used in preference to a Limit section when restricting access, since a LimitExcept section provides protection against arbitrary methods. === -Original Message- From: Pid [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:30 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33 try this... http://httpd.apache.org/docs/1.3/mod/core.html#limit Limit TRACE Deny from all /Limit p Yaniv Ofer wrote: Hello Our application is running over Apache 1.3.33. As a result of a failed security test, we have been asked to disable the TRACE HTTP method on our Apache Server. Could you please refer me to a configuration/patch/fix that would disable the TRACE HTTP method for Apache 1.3.33 Server? Our Server should refuse the following HTTP TRACE request: == TRACE /inbox?Uid=379%2D100 HTTP/1.1 Host: 172.17.129.61:50084 == Our current server replies with 200 OK for that request. Thanks Ofer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Try this, then:
# Suppress the TRACE and TRACK methods to avoid cross-site scripting
vulnerability
IfModule mod_rewrite.c
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
/IfModule
On 13/02/07, Yaniv Ofer [EMAIL PROTECTED] wrote:
Hi p
It says here that the TRACE method cannot be limited.
-Ofer
http://httpd.apache.org/docs/1.3/mod/core.html#limit
===
Limit directive
Syntax: Limit method [method] ... ... /Limit
Context: any
Status: core
Access controls are normally effective for all access methods, and this
is the usual desired behavior. In the general case, access control
directives should not be placed within a limit section.
The purpose of the Limit directive is to restrict the effect of the
access controls to the nominated HTTP methods. For all other methods,
the access restrictions that are enclosed in the Limit bracket will
have no effect. The following example applies the access control only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:
Limit POST PUT DELETE
Require valid-user
/Limit
The method names listed can be one or more of: GET, POST, PUT, DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it will
also restrict HEAD requests. The TRACE method cannot be limited.
Warning: A LimitExcept section should always be used in preference to
a Limit section when restricting access, since a LimitExcept section
provides protection against arbitrary methods.
===
-Original Message-
From: Pid [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
Limit TRACE
Deny from all
/Limit
p
Yaniv Ofer wrote:
Hello
Our application is running over Apache 1.3.33.
As a result of a failed security test, we have been asked to disable
the TRACE HTTP method on our Apache Server.
Could you please refer me to a configuration/patch/fix that would
disable the TRACE HTTP method for Apache 1.3.33 Server?
Our Server should refuse the following HTTP TRACE request:
==
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084
==
Our current server replies with 200 OK for that request.
Thanks
Ofer
-
The official User-To-User support forum of the Apache HTTP Server
Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Steve Swift
http://www.swiftys.org.uk
Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
Steve Swift wrote:
Try this, then:
# Suppress the TRACE and TRACK methods to avoid cross-site scripting
vulnerability
IfModule mod_rewrite.c
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
/IfModule
On 13/02/07, *Yaniv Ofer* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
Hi p
It says here that the TRACE method cannot be limited.
my bad, apologies.
Steve is right above.
-Ofer
http://httpd.apache.org/docs/1.3/mod/core.html#limit
===
Limit directive
Syntax: Limit method [method] ... ... /Limit
Context: any
Status: core
Access controls are normally effective for all access methods, and this
is the usual desired behavior. In the general case, access control
directives should not be placed within a limit section.
The purpose of the Limit directive is to restrict the effect of the
access controls to the nominated HTTP methods. For all other methods,
the access restrictions that are enclosed in the Limit bracket will
have no effect. The following example applies the access control
only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:
Limit POST PUT DELETE
Require valid-user
/Limit
The method names listed can be one or more of: GET, POST, PUT, DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it will
also restrict HEAD requests. The TRACE method cannot be limited.
Warning: A LimitExcept section should always be used in preference to
a Limit section when restricting access, since a LimitExcept section
provides protection against arbitrary methods.
===
-Original Message-
From: Pid [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2007 1:30 PM
To: users@httpd.apache.org mailto:users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
http://httpd.apache.org/docs/1.3/mod/core.html#limit
Limit TRACE
Deny from all
/Limit
p
Yaniv Ofer wrote:
Hello
Our application is running over Apache 1.3.33.
As a result of a failed security test, we have been asked to disable
the TRACE HTTP method on our Apache Server.
Could you please refer me to a configuration/patch/fix that would
disable the TRACE HTTP method for Apache 1.3.33 Server?
Our Server should refuse the following HTTP TRACE request:
==
TRACE /inbox?Uid=379%2D100 HTTP/1.1
Host: 172.17.129.61:50084 http://172.17.129.61:50084
==
Our current server replies with 200 OK for that request.
Thanks
Ofer
-
The official User-To-User support forum of the Apache HTTP Server
Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
-
The official User-To-User support forum of the Apache HTTP Server
Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
--
Steve Swift
http://www.swiftys.org.uk
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
