Apache TraceEnable on
 

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
/etc/apache2/apache2.conf has
Include /etc/apache2/conf.d/ which has

security.dpkg-dist which has
TraceEnable Off

but TRACE is on

and why should OPTIONS be on too?

--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net




--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Apache TraceEnable on
 

I think you are correct.

root@helen:/etc# telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 05 Aug 2010 16:06:13 GMT

Server: Apache/2.2.12 (Ubuntu) mod_ssl/2.2.12 OpenSSL/0.9.8g
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0

Connection closed by foreign host.

The false positive alarms the credit care security scanners.




On Thu, Aug 5, 2010 at 10:48 AM, Joe McDonagh <joseph.e.mcdonagh@gmail.com> wrote:

On 08/04/2010 09:34 AM, Jim Tarvid wrote:


+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST



/etc/apache2/apache2.conf has

Include /etc/apache2/conf.d/ which has

security.dpkg-dist which has

TraceEnable Off



but TRACE is on



and why should OPTIONS be on too?



--

Rev. Jim Tarvid, PCA

Galax, Virginia

http://ls.net




I don't think TRACE is actually on, even though it says it is.





--

--

Joe McDonagh

Operations Engineer

AIM: YoosingYoonickz

IRC: joe-mac on freenode

"When the going gets weird, the weird turn pro."





--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam