Steve Swift wrote:
Try this, then:
# Suppress the TRACE and TRACK methods to avoid cross-site scripting
vulnerability
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
On 13/02/07, *Yaniv Ofer* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi p
It says here that the TRACE method cannot be limited.
my bad, apologies.
Steve is right above.
-Ofer
http://httpd.apache.org/docs/1.3/mod/core.html#limit
========================================================================
===========================================
<Limit> directive
Syntax: <Limit method [method] ... > ... </Limit>
Context: any
Status: core
Access controls are normally effective for all access methods, and this
is the usual desired behavior. In the general case, access control
directives should not be placed within a <limit> section.
The purpose of the <Limit> directive is to restrict the effect of the
access controls to the nominated HTTP methods. For all other methods,
the access restrictions that are enclosed in the <Limit> bracket will
have no effect. The following example applies the access control
only to
the methods POST, PUT, and DELETE, leaving all other methods
unprotected:
<Limit POST PUT DELETE>
Require valid-user
</Limit>
The method names listed can be one or more of: GET, POST, PUT, DELETE,
CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK,
and UNLOCK. The method name is case-sensitive. If GET is used it will
also restrict HEAD requests. The TRACE method cannot be limited.
Warning: A <LimitExcept> section should always be used in preference to
a <Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
========================================================================
===========================================
-----Original Message-----
From: Pid [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>]
Sent: Tuesday, February 13, 2007 1:30 PM
To: [email protected] <mailto:[email protected]>
Subject: Re: [EMAIL PROTECTED] Disable TRACE HTTP method on Apache 1.3.33
try this...
http://httpd.apache.org/docs/1.3/mod/core.html#limit
<http://httpd.apache.org/docs/1.3/mod/core.html#limit>
<Limit TRACE>
Deny from all
</Limit>
p
Yaniv Ofer wrote:
> Hello
>
> Our application is running over Apache 1.3.33.
>
> As a result of a failed security test, we have been asked to disable
> the TRACE HTTP method on our Apache Server.
>
> Could you please refer me to a configuration/patch/fix that would
> disable the TRACE HTTP method for Apache 1.3.33 Server?
>
> Our Server should refuse the following HTTP TRACE request:
>
> ==========================================================
>
> TRACE /inbox?Uid=379%2D100 HTTP/1.1
>
> Host: 172.17.129.61:50084 <http://172.17.129.61:50084>
>
> ==========================================================
>
> Our current server replies with 200 OK for that request.
>
> Thanks
>
> Ofer
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
" from the digest: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
" from the digest: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
--
Steve Swift
http://www.swiftys.org.uk
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
