How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD?
Hi,
I used following configuration settings in ".htaccess" file to disable the HTTP TRACE method, which I found as most common recommended solution. RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] My server configurations are as follows: OS: FreeBSD Webserver: Apache 1.3.33 I want to know how reliable is this? Is there any simple way, by which I can be sure that it's really working and the server is now secure from this vulnerability. |
One way to test if TRACE has been disabled is to telnet to port 80 (type the stuff in red):
telnet myserver.com 80 Connected to myserver.com (1.2.3.4). Escape character is '^]'. TRACE / HTTP/1.1 Host: myserver.com <press enter a few times> If a 400 error is printed then you are secured: HTTP/1.1 403 Forbidden Date: Tue, 11 Nov 2008 15:26:33 GMT Server: Apache/2.0.52 (OS Version) Accept-Ranges: bytes Content-Length: 3985 Connection: close ... ... html ... html ... Here is an example of how to use telnet to test HTTP for future reference: http://www.esqsoft.com/examples/trou...ing-telnet.htm |
All times are GMT -5. The time now is 03:59 AM. |