I think you are correct. r...@helen:/etc# telnet localhost 80 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0
HTTP/1.1 200 OK Date: Thu, 05 Aug 2010 16:06:13 GMT Server: Apache/2.2.12 (Ubuntu) mod_ssl/2.2.12 OpenSSL/0.9.8g Connection: close Content-Type: message/http TRACE / HTTP/1.0 Connection closed by foreign host. The false positive alarms the credit care security scanners. On Thu, Aug 5, 2010 at 10:48 AM, Joe McDonagh <[email protected]>wrote: > On 08/04/2010 09:34 AM, Jim Tarvid wrote: > >> + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE >> + OSVDB-877: HTTP TRACE method is active, suggesting the host is >> vulnerable to XST >> >> /etc/apache2/apache2.conf has >> Include /etc/apache2/conf.d/ which has >> security.dpkg-dist which has >> TraceEnable Off >> >> but TRACE is on >> >> and why should OPTIONS be on too? >> >> -- >> Rev. Jim Tarvid, PCA >> Galax, Virginia >> http://ls.net >> >> I don't think TRACE is actually on, even though it says it is. > > > -- > -- > Joe McDonagh > Operations Engineer > AIM: YoosingYoonickz > IRC: joe-mac on freenode > "When the going gets weird, the weird turn pro." > > -- Rev. Jim Tarvid, PCA Galax, Virginia http://ls.net http://drupal.ls.net
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
