Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 26529 - apache should be built with TRACE request off be default
Summary: apache should be built with TRACE request off be default
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Donny Davies (RETIRED)
: 28805 132050 (view as bug list)
Depends on:
Reported: 2003-08-13 01:58 UTC by Matt Smith
Modified: 2006-05-02 13:46 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Smith 2003-08-13 01:58:29 UTC

Reproducible: Always
Steps to Reproduce:
Comment 1 Donny Davies (RETIRED) gentoo-dev 2003-08-13 19:47:53 UTC
Interesting read, thanks for the link.

The paper makes two reccomendations for vendor Apache changes:
o Source Code Modification
o Mod_Rewrite Module
  RewriteEngine on
  RewriteRule .* [F]

Have you seen or have a patch for this "source code modification"
it mentions.  Any idea which (if any) other vendors have picked
this up yet?

Thanks again...
Comment 2 Matt Smith 2003-08-15 00:34:18 UTC
By reading the paper I assume that there are vendors that have it disabled by default. They named off sites that still run it so I am guessing that others are not running it.

I picked up on it when my Gentoo box was scanned with Nikto (

I run a few distros here. I could try to scan the other ones to see if there are anyone that runs without TRACE enabled. Would require me to-do a lil setup but I will post my results. Here shortly.
Comment 3 Matt Smith 2003-08-15 01:48:15 UTC
I tried RedHat 9.0 and Slackware 9.0 and it seems TRACE is enabled as well.
The question I think is, is there a legitimate purpose for websites to run Trace. I honestly am not that familiar with the feature.
Comment 4 Donny Davies (RETIRED) gentoo-dev 2003-08-21 21:56:25 UTC
Neither am I.

I still dont see this "source code modification" they talk about and dont
really have time right now to chase it down.  Could you dig it up by
chance, that would be helpful.
Comment 5 Matt Smith 2003-08-28 14:33:11 UTC
Well I asked the people over at the users apache mailing list and got a few nuggets of info.

These two links downplay the vulnerability with TRACE.

Right now gentoos current apache 2.0.47 passes these options.

TRACE seems to be for debugging and connection analysis. Maybe a gentoo user might want this feature. In most cases it will not be used by anyone so it may be better to remove it. In anycase the only means of disableing TRACE was in the article and also described here.

Thats all I can find for now.
Comment 6 SpanKY gentoo-dev 2003-09-15 10:07:40 UTC
*** Bug 28805 has been marked as a duplicate of this bug. ***
Comment 7 Andrew Cooks (RETIRED) gentoo-dev 2004-01-19 09:21:54 UTC
Since this is marked as a critical bug, but says it's not a bug in apache and since it hasn't received attention for some time, maybe we should close this as a WONTFIX? You could also argue that it's INVALID, I suppose.

I've seen how these things work, so instead of waiting for someone to agree (or disagree), I'm closing it. Please reopen if needed.
Comment 8 Donny Davies (RETIRED) gentoo-dev 2004-01-19 10:17:20 UTC
Fine by me.
Comment 9 Jakub Moc (RETIRED) gentoo-dev 2006-05-02 13:25:25 UTC
*** Bug 132050 has been marked as a duplicate of this bug. ***
Comment 10 Martin Mokrejš 2006-05-02 13:46:15 UTC
Yes, this is not a apache bug in the meaning bug in the source code. But it is a configuration issue and it is advised to disable the trace feature by default.
I don't understand why such a risky "feature" should be turned on by default.

Subject: Re: [mod_python] Authentication and security in general
Oh, I should've mentioned that the latest Apache 2.2 has now
made it much easier to disable TRACE with a new directive.  See

If you're pre-2.2 though you still must use mod_rewrite.
Deron Meranda
Mod_python mailing list