On Fri, Feb 16, 2007 at 12:54:51 +0100, Pavel Chalupa wrote:
Dne pátek 16 únor 2007 12:33 Dr. Peter Poeml napsal(a):
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel
Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Is the problem that you have no access to the server config and can't disable it via .htaccess?
Peter I'm using .htaccess with this and it should disable TRACE:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* – [F]
But "Nikto" still shows that TRACE is enabled. It looks that there is nobody in whole my country, who is able to explain what is wrong. I have sent request on root.cz to discussion and no answer.
You could use a RewriteLog to find out what's going on. Regards, Peter -- SUSE LINUX Products GmbH Bug, bogey, bugbear, bugaboo: Research & Development A malevolent monster (not true?); Some mischief microbic; What makes someone phobic; The work one does not want to do. From: Chris Young (The Omnificent English Dictionary In Limerick Form)