On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel
Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable Is the problem that you have no access to the server config and can't disable it via .htaccess? Peter -- SUSE LINUX Products GmbH Bug, bogey, bugbear, bugaboo: Research & Development A malevolent monster (not true?); Some mischief microbic; What makes someone phobic; The work one does not want to do. From: Chris Young (The Omnificent English Dictionary In Limerick Form)