Greetings --

Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks (or, at least the ones I'm familiar with) in place. Had our network types run a Nessus scan against the host - all fine, except for the following, which I'm having trouble interpreting (and hoping for some 'interpretative guidance' here). It suggests using a rewrite to handle the issue (something I've never done). I'm also not entirely sure of what TRACE and TRACK do?

Thanks in advance -- semi-newbie, so flame throwers to 'singe only' please. ;-)

Basically, the scan found the following 'moderate risk' issue:

Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1

Solution :

Disable these methods. Refer to the plugin output for more information.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.9
(CVSS2#E:F/RL:W/RC:C)
Public Exploit Available : true


Plugin output :

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to