I've been trying out Openwall linux on an old box of mine. I just finished setting up a chroot'ed Apache/PHP/MySQL setup according to these articles:
Apache,
PHP, and
MySQL.
So far, so good. I've been checking the server's security by running a nessus scan, which comes up fairly clean, with the following exception:
Quote:
. Warning found on port http (80/tcp)
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
|
Now, my problem is that I compiled Apache without the mod_rewrite module. So I'm trying to deny TRACE and TRACK methods using mod_security. It seems a simple matter, but I'm not very good with regular expressions, so I was hoping someone here could give me some help.
I've tried each of the following, with no success:
Code:
SecFilterSelective REQUEST_METHOD "^(TRACE|TRACK).*$" "deny,status:405"
SecFilterSelective REQUEST_METHOD "^(TRACE|TRACK)" "deny,status:405"
SecFilterSelective REQUEST_METHOD "(^TRACE|^TRACK)" "deny,status:405"
SecFilterSelective REQUEST_METHOD "(TRACE|TRACK)" "deny,status:405"
I've also tried each of the above with double-quotes around "REQUEST_METHOD", and omitting the "deny,status:405" action (my config includes SecFilterDefaultAction "deny,log,status:500"), as well as trying each without specifying REQUEST_METHOD, using the SecFilter directive. But still no luck. Looking through the audit_log, it happily returns '200 OK' for each request.
This is one of those nagging annoyances which must have a solution that's perfectly obvious, once you know it, but I don't. Can someone help me out here?
Enjoy!
--- Cerbere
[edit] I've also tried returning a status of 403, both in the action of SecFilterSelective, and in the SecFilterDefaultAction. [/edit]