FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 08-04-2010, 01:34 PM
Jim Tarvid
 
Default Apache TraceEnable on

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
/etc/apache2/apache2.conf has
Include /etc/apache2/conf.d/ which has

security.dpkg-dist which has
TraceEnable Off

but TRACE is on

and why should OPTIONS be on too?

--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net




--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-05-2010, 04:08 PM
Jim Tarvid
 
Default Apache TraceEnable on

I think you are correct.

root@helen:/etc# telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 05 Aug 2010 16:06:13 GMT

Server: Apache/2.2.12 (Ubuntu) mod_ssl/2.2.12 OpenSSL/0.9.8g
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0

Connection closed by foreign host.

The false positive alarms the credit care security scanners.




On Thu, Aug 5, 2010 at 10:48 AM, Joe McDonagh <joseph.e.mcdonagh@gmail.com> wrote:

On 08/04/2010 09:34 AM, Jim Tarvid wrote:


+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST



/etc/apache2/apache2.conf has

Include /etc/apache2/conf.d/ which has

security.dpkg-dist which has

TraceEnable Off



but TRACE is on



and why should OPTIONS be on too?



--

Rev. Jim Tarvid, PCA

Galax, Virginia

http://ls.net




I don't think TRACE is actually on, even though it says it is.





--

--

Joe McDonagh

Operations Engineer

AIM: YoosingYoonickz

IRC: joe-mac on freenode

"When the going gets weird, the weird turn pro."





--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 09:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org