Dne pátek 16 únor 2007 12:33 Dr. Peter Poeml napsal(a):
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel
Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Is the problem that you have no access to the server config and can't disable it via .htaccess?
Peter I'm using .htaccess with this and it should disable TRACE:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* – [F] But "Nikto" still shows that TRACE is enabled. It looks that there is nobody in whole my country, who is able to explain what is wrong. I have sent request on root.cz to discussion and no answer. Pavel. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org