Apache: "Multiple vendor's web server enable HTTP TRACE method by default."

  • 3019345
  • 28-Jan-2008
  • 26-Apr-2012

Environment

Novell NetWare 6 SP2
Novell NetWare 6.5
Apache for NetWare 1.3.26
Apache for NetWare 1.3.27
Apache for NetWare 2.0.x

Situation

Apache: "Multiple vendor's web server enable HTTP TRACE method by default."

Resolution

With Apache 1.3.34 and 2.0.55 (and later) it is possible to switch this behavior off with the line:

"TraceEnable Off"

For NetWare 6.0 modify SYS:/APACHE/CONF/ADMINSERV.CONF
For NetWare 6.5 modify SYS:/APACHE2/CONF/HTTPD.CONF

Read about Traceenable in the Apache documentation for Apache here: http://httpd.apache.org/docs/2.0/mod/core.html#traceenable

For earlier versions of Apache it is possible to switch off TRACE with mod_rewrite:

Apache on NetWare 6.0 :

In SYS:/APACHE/CONF/ADMINSERV.CONF add the following:

In the line below "LoadModule tls_module modules/mod_tls.nlm" add:
LoadModule rewrite_module modules/rewrite.nlm

In the line above "DocumentRoot "sys:/apache/nwdocs"" add:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Another way to write the rule is as follows:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)

RewriteRule .* - [F]

Apache on NetWare 6.5

Make the above mentioned change to the SYS:/APACHE2/CONF/HTTPD.CONF file.

Look for a line that looks like #LoadModule rewrite_module modules/rewrite.nlm and remove the remark sign(#) from the beginning of the line.

Next, look for the line: DocumentRoot "SYS:/APACHE2/htdocs", and just before that line add either of the above mentioned rules.

Additional Information

The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. This behavior could be leveraged by attackers to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request.
For more information about this read: http://www.kb.cert.org/vuls/id/867593

Formerly known as TID# 10082536

Feedback service temporarily unavailable. For content questions or problems, please contact Support.