Topic: TraceEnable off - Apache

[russs]

Hi Guys,

I am having trouble at the moment with a company that needs to do a security scan of our site.
I know that sounds 'dodgy' but it's alright, they are definitely genuine!

Their scanner is complaining about Track and Trace as shown below;

Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirr or/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-2 4 http://www.kb.cert.org/vuls/id/867593 Solution: Disable these methods. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution: Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : The server response from a TRACE request is : TRACE  /SMetrics353344255.html HTTP/1.1 Connection: Close Host: www.server.com Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U ScanComp ) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726

So, I think I just need to use the 'TraceEnable' directive in Apache to disable this feature but I'm not sure about setting it up, do I need to make a template entry or, as it's just temporary for the scan, can I just add this directly to the httpd.conf file?

Thanks
Russ

[byte]

I am having trouble at the moment with a company that needs to do a security scan of our site.
I know that sounds 'dodgy' but it's alright, they are definitely genuine!

As always - Please contact security [at] contribs [dot] org

[russs]

Hi Byte

is it an answer you would rather not give out on the Forums do you mean?

Is this the normal procedure on such occasions then? I'll remember for the future if it is.

Thanks

Russ

[byte]

Is this the normal procedure on such occasions then? I'll remember for the future if it is

Yes, this has always been the normal procedure to contact contribs if there is a potential security issue, as you will note from reading at the top when you post a new thread:

Don't report security issues here - Contact security at contribs dot org
Don't report problems here - Please report bugs and potential bugs in the bug tracker
Don't ask the same question twice - Please search the forums, your question may have been asked before - Thank You.

Thanks.