Summary: | apache should be built with TRACE request off be default | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matt Smith <slipmode> |
Component: | [OLD] Server | Assignee: | Donny Davies (RETIRED) <woodchip> |
Status: | RESOLVED WONTFIX | ||
Severity: | critical | CC: | mmokrejs, security, simpsonb, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Matt Smith
2003-08-13 01:58:29 UTC
Interesting read, thanks for the link. The paper makes two reccomendations for vendor Apache changes: o Source Code Modification o Mod_Rewrite Module RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* [F] Have you seen or have a patch for this "source code modification" it mentions. Any idea which (if any) other vendors have picked this up yet? Thanks again... By reading the paper I assume that there are vendors that have it disabled by default. They named off sites that still run it so I am guessing that others are not running it. I picked up on it when my Gentoo box was scanned with Nikto (http://www.cirt.net/code/nikto.shtml) I run a few distros here. I could try to scan the other ones to see if there are anyone that runs without TRACE enabled. Would require me to-do a lil setup but I will post my results. Here shortly. I tried RedHat 9.0 and Slackware 9.0 and it seems TRACE is enabled as well. The question I think is, is there a legitimate purpose for websites to run Trace. I honestly am not that familiar with the feature. Neither am I. I still dont see this "source code modification" they talk about and dont really have time right now to chase it down. Could you dig it up by chance, that would be helpful. Well I asked the people over at the users apache mailing list and got a few nuggets of info. These two links downplay the vulnerability with TRACE. http://www.securityfocus.com/archive/1/307778/2003-01-23/2003-01-29/0 http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-01/0233.html Right now gentoos current apache 2.0.47 passes these options. Allow: GET,HEAD,POST,OPTIONS,TRACE TRACE seems to be for debugging and connection analysis. Maybe a gentoo user might want this feature. In most cases it will not be used by anyone so it may be better to remove it. In anycase the only means of disableing TRACE was in the article and also described here. http://www.apacheweek.com/issues/03-01-24#news Thats all I can find for now. *** Bug 28805 has been marked as a duplicate of this bug. *** Since this is marked as a critical bug, but apache.org says it's not a bug in apache and since it hasn't received attention for some time, maybe we should close this as a WONTFIX? You could also argue that it's INVALID, I suppose. I've seen how these things work, so instead of waiting for someone to agree (or disagree), I'm closing it. Please reopen if needed. Fine by me. *** Bug 132050 has been marked as a duplicate of this bug. *** Yes, this is not a apache bug in the meaning bug in the source code. But it is a configuration issue and it is advised to disable the trace feature by default. I don't understand why such a risky "feature" should be turned on by default. Subject: Re: [mod_python] Authentication and security in general Oh, I should've mentioned that the latest Apache 2.2 has now made it much easier to disable TRACE with a new directive. See http://httpd.apache.org/docs/2.2/mod/core.html#traceenable If you're pre-2.2 though you still must use mod_rewrite. -- Deron Meranda -______________________________________________ Mod_python mailing list Mod_python@modpython.org http://mailman.modpython.org/mailman/listinfo/mod_python |