-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pavel Chalupa schrieb:
Dne pátek 16 únor 2007 12:33 Dr. Peter Poeml napsal(a):
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Is the problem that you have no access to the server config and can't disable it via .htaccess?
Peter I'm using .htaccess with this and it should disable TRACE:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* – [F]
But "Nikto" still shows that TRACE is enabled. It looks that there is nobody in whole my country, who is able to explain what is wrong. I have sent request on root.cz to discussion and no answer.
Pavel. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello! Maybe you have a small look to your httpd.conf looking what SuSE has intended for rights for the .htaccess-file on webroot and it's subfolders! Maybe this shows you why some things don't work. SuSE per default disallows some things with apache for security reasons. What is secure to change here can be found with google! Consider what is the truth and what is myth! Make your server as secure as you think it should be! Look there are a lot too much servers on the internet that have to much security holes that they will be (no.1) hit before yours (as they are honey pods for the dark side of the power)! Why don't you enable the above rewrite rule not in your httpd.conf or do you have no access? Greeds Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRdiTAENg1DRVIGjBAQKRgwb+O5rlxVpGW0JWhcmJfreShtmNiWN4GE8J QFcniD0ukcAPLBnkNC0MXD9iPlSvCvzKXTMthdIyGTUUhU/iWM35ZtEuXrdlwvCG LUdTXw/xtneVwQ0QEOIBqA7WBioAiX9SjPiZ65tFNq4AcJ2Y/yH5NzH9rZGPNc6B ZIOzXcgYBsriTPSgYD0JDjM7cg2AnCnGsl1rsBRXQi2hbVo1jyfICNACJKxQOGeU p1b91IFBSFtdgMvft2/eMv4A93ODxuw+cFJnlP1m29IHv0wkfG1TcbUmwGSTmNjx r9xd2M499/M= =KdGN -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org