[opensuse-security] TRACE enabled, Apache
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled. Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf Should I worry about TRACE enabled? Thanks, Pavel --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel
Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable Is the problem that you have no access to the server config and can't disable it via .htaccess? Peter -- SUSE LINUX Products GmbH Bug, bogey, bugbear, bugaboo: Research & Development A malevolent monster (not true?); Some mischief microbic; What makes someone phobic; The work one does not want to do. From: Chris Young (The Omnificent English Dictionary In Limerick Form)
Dne pátek 16 únor 2007 12:33 Dr. Peter Poeml napsal(a):
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel
Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Is the problem that you have no access to the server config and can't disable it via .htaccess?
Peter I'm using .htaccess with this and it should disable TRACE:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* – [F] But "Nikto" still shows that TRACE is enabled. It looks that there is nobody in whole my country, who is able to explain what is wrong. I have sent request on root.cz to discussion and no answer. Pavel. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pavel Chalupa schrieb:
Dne pátek 16 únor 2007 12:33 Dr. Peter Poeml napsal(a):
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Is the problem that you have no access to the server config and can't disable it via .htaccess?
Peter I'm using .htaccess with this and it should disable TRACE:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* – [F]
But "Nikto" still shows that TRACE is enabled. It looks that there is nobody in whole my country, who is able to explain what is wrong. I have sent request on root.cz to discussion and no answer.
Pavel. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello! Maybe you have a small look to your httpd.conf looking what SuSE has intended for rights for the .htaccess-file on webroot and it's subfolders! Maybe this shows you why some things don't work. SuSE per default disallows some things with apache for security reasons. What is secure to change here can be found with google! Consider what is the truth and what is myth! Make your server as secure as you think it should be! Look there are a lot too much servers on the internet that have to much security holes that they will be (no.1) hit before yours (as they are honey pods for the dark side of the power)! Why don't you enable the above rewrite rule not in your httpd.conf or do you have no access? Greeds Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRdiTAENg1DRVIGjBAQKRgwb+O5rlxVpGW0JWhcmJfreShtmNiWN4GE8J QFcniD0ukcAPLBnkNC0MXD9iPlSvCvzKXTMthdIyGTUUhU/iWM35ZtEuXrdlwvCG LUdTXw/xtneVwQ0QEOIBqA7WBioAiX9SjPiZ65tFNq4AcJ2Y/yH5NzH9rZGPNc6B ZIOzXcgYBsriTPSgYD0JDjM7cg2AnCnGsl1rsBRXQi2hbVo1jyfICNACJKxQOGeU p1b91IFBSFtdgMvft2/eMv4A93ODxuw+cFJnlP1m29IHv0wkfG1TcbUmwGSTmNjx r9xd2M499/M= =KdGN -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Fri, Feb 16, 2007 at 12:54:51 +0100, Pavel Chalupa wrote:
Dne pátek 16 únor 2007 12:33 Dr. Peter Poeml napsal(a):
On Fri, Feb 16, 2007 at 06:32:46 +0100, Pavel Chalupa wrote:
Hello, can anybody explain me how much security problem is, when I have TRACE enabled in Apache? I tried to disable it with mod_rewrite inside the .htaccess file, but it does not work ("Nikto" scanner says "it's still TRACE enabled). I have no access to Apache and can't compile Apache with TRACE disabled.
Admin says: it is not dangerous, look at: http://www.ietf.org/rfc/rfc2616.txt
But scanner "Nikto" talks about 4 years old security problem: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
Should I worry about TRACE enabled?
Thanks, Pavel
Since 2.1.5, there is TraceEnable. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Is the problem that you have no access to the server config and can't disable it via .htaccess?
Peter I'm using .htaccess with this and it should disable TRACE:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* – [F]
But "Nikto" still shows that TRACE is enabled. It looks that there is nobody in whole my country, who is able to explain what is wrong. I have sent request on root.cz to discussion and no answer.
You could use a RewriteLog to find out what's going on. Regards, Peter -- SUSE LINUX Products GmbH Bug, bogey, bugbear, bugaboo: Research & Development A malevolent monster (not true?); Some mischief microbic; What makes someone phobic; The work one does not want to do. From: Chris Young (The Omnificent English Dictionary In Limerick Form)
On Fri, Feb 16, 2007 at 06:32:46AM +0100, Pavel Chalupa wrote:
can anybody explain me how much security problem is, when I have TRACE enabled in Apache?
A victim of your website may have setup your machine as a trusted host. An attacker of that victim tricks him into a request from his machine to your host with the attackers provided content. The TRACE method will output that content to the victims browser which then processes the content with evelated privileges. You should disable TRACE for production webhosts, and only enable them for your developement IP space. Your doing no one a service by leaving them enabled but an attacker. Peter --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Dr. Peter Poeml -
Pavel Chalupa -
Peter Wiersig -
Philippe Vogel