Apache: "Multiple vendor's web server enable HTTP TRACE method by default."

Apache: "Multiple vendor's web server enable HTTP TRACE method by default."

With Apache 1.3.34 and 2.0.55 (and later) it is possible to switch this behavior off with the line:

"TraceEnable Off"

For NetWare 6.0 modify SYS:/APACHE/CONF/ADMINSERV.CONF
For NetWare 6.5 modify SYS:/APACHE2/CONF/HTTPD.CONF

Read about Traceenable in the Apache documentation for Apache here: http://httpd.apache.org/docs/2.0/mod/core.html#traceenable

For earlier versions of Apache it is possible to switch off TRACE with mod_rewrite:

Apache on NetWare 6.0 :

In SYS:/APACHE/CONF/ADMINSERV.CONF add the following:

In the line below "LoadModule tls_module modules/mod_tls.nlm" add:
LoadModule rewrite_module modules/rewrite.nlm

In the line above "DocumentRoot "sys:/apache/nwdocs"" add:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Another way to write the rule is as follows:

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)

RewriteRule .* - [F]

Apache on NetWare 6.5

Make the above mentioned change to the SYS:/APACHE2/CONF/HTTPD.CONF file.

Look for a line that looks like #LoadModule rewrite_module modules/rewrite.nlm and remove the remark sign(#) from the beginning of the line.

Next, look for the line: DocumentRoot "SYS:/APACHE2/htdocs", and just before that line add either of the above mentioned rules.

The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. This behavior could be leveraged by attackers to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request.
For more information about this read: http://www.kb.cert.org/vuls/id/867593

Formerly known as TID# 10082536