ok, I found this in my personal archive, and the link is even still vaild:

Bug #19113 HTTP status 200 returned on HTTP CONNECT when mod_proxy not in use http://bugs.php.net/bug.php?id=19113

Lars Ellenberg

Thankyou Lars for your help! I have looked at the bug report, and applied the following 'patch' to httpd.conf, after my DocRoot Directory container. This is followed by another Directory listing to deny access to the rest of my srv docs. I only want to allow access to the root directory, so others can get my site homepage by just entering the domain name of the machine. snip xxxxx <Directory "/"> DirectoryIndex karsites.hml Options None AllowOverride None Order Deny,Allow Allow from all </Directory> # remove the CONNECT bug # http://bugs.php.net/bug.php?id=19113 <Location /> <Limit CONNECT> Order deny,allow Deny from all </Limit> </Location> snip xxxxx # end of httpd.conf However, when I do karsites:/home/keith # telnet localhost 80 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. CONNECT 127.0.0.1:80 HTTP/1.0 Without the fix to limit CONNECT, I get the raw source code from my DirectoryIndex page, karsites.hml With the patch applied to httpd.conf I get the following: HTTP/1.1 403 Forbidden Date: Sat, 28 Feb 2004 15:07:07 GMT Server: Apache/1.3.26 (Linux/SuSE) Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>403 Forbidden</TITLE> </HEAD><BODY> <H1>Forbidden</H1> You don't have permission to access / on this server.<P> <HR> <ADDRESS>Apache/1.3.26 Server at <A HREF="mailto:keith@my-server.co.uk">my-server.co.uk</A> Port 80</ADDRESS> </BODY></HTML> Connection closed by foreign host. karsites:/home/keith # Which is just the source code for the Apache generated error message. The access_log now records the correct details - 127.0.0.1 - - [28/Feb/2004:15:34:27 +0000] "CONNECT 127.0.0.1:80 HTTP/1.0" 403 311 NB is it possible for an attacker to ftp to my machine, and use the above technique to download the source code of my web applications? Kind Regards - Keith Roberts