LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD? (http://www.linuxquestions.org/questions/linux-security-4/how-to-trace-and-disable-the-http-trace-method-in-apache-1-3-33-with-freebsd-682275/)

SomnathG 11-10-2008 12:21 AM

How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD?
 
Hi,
I used following configuration settings in ".htaccess" file to disable the HTTP TRACE method, which I found as most common recommended solution.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]


My server configurations are as follows:
OS: FreeBSD
Webserver: Apache 1.3.33

I want to know how reliable is this?
Is there any simple way, by which I can be sure that it's really working
and the server is now secure from this vulnerability.

Autocross.US 11-11-2008 09:41 AM

One way to test if TRACE has been disabled is to telnet to port 80 (type the stuff in red):

telnet myserver.com 80
Connected to myserver.com (1.2.3.4).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: myserver.com
<press enter a few times>

If a 400 error is printed then you are secured:

HTTP/1.1 403 Forbidden
Date: Tue, 11 Nov 2008 15:26:33 GMT
Server: Apache/2.0.52 (OS Version)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
...
... html
... html
...

Here is an example of how to use telnet to test HTTP for future reference:
http://www.esqsoft.com/examples/trou...ing-telnet.htm


All times are GMT -5. The time now is 05:16 AM.