Apache TraceEnable on
I think you are correct.
root@helen:/etc# telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 05 Aug 2010 16:06:13 GMT
Server: Apache/2.2.12 (Ubuntu) mod_ssl/2.2.12 OpenSSL/0.9.8g
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Connection closed by foreign host.
The false positive alarms the credit care security scanners.
On Thu, Aug 5, 2010 at 10:48 AM, Joe McDonagh <joseph.e.mcdonagh@gmail.com> wrote:
On 08/04/2010 09:34 AM, Jim Tarvid wrote:
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
/etc/apache2/apache2.conf has
Include /etc/apache2/conf.d/ which has
security.dpkg-dist which has
TraceEnable Off
but TRACE is on
and why should OPTIONS be on too?
--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
I don't think TRACE is actually on, even though it says it is.
--
--
Joe McDonagh
Operations Engineer
AIM: YoosingYoonickz
IRC: joe-mac on freenode
"When the going gets weird, the weird turn pro."
--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
|
