asf-tooling opened a new issue, #1054:
URL: https://github.com/apache/tooling-trusted-releases/issues/1054
**ASVS Level(s):** L2-only
**Description:**
### Summary
The Apache httpd reverse proxy configuration does not include the
`TraceEnable Off` directive. Apache httpd enables TRACE by default. Critically,
Apache handles TRACE requests natively—it echoes back the full HTTP request
including all headers—and does not proxy TRACE to the backend application,
regardless of ProxyPass rules. Sensitive headers (session cookies,
Authorization tokens) are reflected back in TRACE responses, enabling
Cross-Site Tracing (XST) attacks when combined with other vulnerabilities. Even
though modern browsers block JavaScript TRACE requests, non-browser API clients
and automated tools can still exploit this.
### Details
The issue exists in `tooling-vm-ec2-de.apache.org.yaml` lines 76-155 and
156-230. The Apache configuration lacks the `TraceEnable Off` directive at both
the vhost level and globally, leaving the TRACE method enabled by default.
### Recommended Remediation
Add `TraceEnable Off` to the Apache configuration at the vhost level or
globally:
**Option 1 (Vhost-level):**
```yaml
# In tooling-vm-ec2-de.apache.org.yaml
vhosts:
- servername: tooling-vm-ec2-de.apache.org
TraceEnable: 'Off' # Add this directive
# ... rest of configuration
```
**Option 2 (Global via Puppet/Hiera):**
```yaml
apache::trace_enable: 'Off'
```
Verify with:
```bash
curl -X TRACE https://tooling-vm-ec2-de.apache.org/
# Should return 405 Method Not Allowed
```
### Acceptance Criteria
- [ ] `TraceEnable Off` directive added to Apache configuration
- [ ] Unit tests verify TRACE method returns 405
- [ ] Integration tests verify TRACE is disabled on all vhosts
- [ ] Manual testing confirms TRACE requests are rejected
- [ ] Documentation updated with TRACE method configuration
### References
- Source reports: L2:13.4.4.md
- Related findings: FINDING-295
- ASVS sections: 13.4.4
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
