LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-10-2008, 12:21 AM   #1
SomnathG
LQ Newbie
 
Registered: Jul 2008
Posts: 5

Rep: Reputation: 0
Post How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD?


Hi,
I used following configuration settings in ".htaccess" file to disable the HTTP TRACE method, which I found as most common recommended solution.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]


My server configurations are as follows:
OS: FreeBSD
Webserver: Apache 1.3.33

I want to know how reliable is this?
Is there any simple way, by which I can be sure that it's really working
and the server is now secure from this vulnerability.
 
Old 11-11-2008, 09:41 AM   #2
Autocross.US
LQ Newbie
 
Registered: Aug 2006
Location: Chesapeake, VA
Distribution: Solaris, HP-UX, RedHat, Fedora
Posts: 15

Rep: Reputation: 0
One way to test if TRACE has been disabled is to telnet to port 80 (type the stuff in red):

telnet myserver.com 80
Connected to myserver.com (1.2.3.4).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: myserver.com
<press enter a few times>

If a 400 error is printed then you are secured:

HTTP/1.1 403 Forbidden
Date: Tue, 11 Nov 2008 15:26:33 GMT
Server: Apache/2.0.52 (OS Version)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
...
... html
... html
...

Here is an example of how to use telnet to test HTTP for future reference:
http://www.esqsoft.com/examples/trou...ing-telnet.htm

Last edited by Autocross.US; 11-11-2008 at 09:44 AM.
 
  


Reply

Tags
apache, disable, http, method, trace


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling HTTP TRACE method in Apache bzlaskar Linux - Server 15 01-25-2010 08:44 AM
"killed" Message - how to trace/back trace ebinjose Linux - Kernel 1 01-29-2008 06:12 AM
Apache access+log can't trace a particular PC at second times SquallPang Linux - Security 1 12-27-2006 05:58 PM
apache mod_rewrite {TRACE|TRACK} woes noir911 *BSD 8 03-09-2006 12:55 AM
can't trace frequent apache crash/automagic restart error I_AM Linux - General 1 04-09-2005 08:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration