HPE Community
Operating System - HP-UX
1820475 Members
2921 Online
109624 Solutions
New Discussion юеВ

Apache Help

 
SOLVED
Go to solution
KPS
Super Advisor

тАО06-30-2005 05:46 AM

тАО06-30-2005 05:46 AM

Apache Help

Hi, we're running a few different versions of HP Apache Web-Based Server. We're being told that we need to disable HTTP Trace where it is not needed. I'm not very Apache Knowledgeable and I'm looking for instructions on how to do this on HP-UX 11.0 and 11.11 running the following versions of Apache:

- A.1.0.01.02
- 1.03.12.03
- 1.3.19.23

Any help would be greatly appreciated.

-Ken
0 Kudos
Reply
6 REPLIES 6
Geoff Wild
Honored Contributor

тАО06-30-2005 06:16 AM

тАО06-30-2005 06:16 AM

Re: Apache Help

This may help:

http://www.kb.cert.org/vuls/id/867593

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Bejoy C Alias
Respected Contributor

тАО06-30-2005 08:56 PM

тАО06-30-2005 08:56 PM

Re: Apache Help

TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.

An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.

To disable TRACE / TRACK add this at the last of ur httpd.conf file.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Be Always Joy ......
Reply
KPS
Super Advisor

тАО07-01-2005 01:28 AM

тАО07-01-2005 01:28 AM

Re: Apache Help

Folks,

Thanks for the replies. Would anyone happen to know what config file for Apache these changes would be made to disable the HTTP Trace? I was guessing it might be httpd.conf, but I'm not 100% sure.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-01-2005 02:18 AM

тАО07-01-2005 02:18 AM

Re: Apache Help

It is probably in the httpd.conf file.

http://httpd.apache.org

Its documented pretty well there.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bejoy C Alias
Respected Contributor

тАО07-01-2005 03:05 PM

тАО07-01-2005 03:05 PM

Solution

Re: Apache Help

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

This should be added to ur httpd.conf file only.
Be Always Joy ......
Reply
KPS
Super Advisor

тАО07-03-2005 02:10 AM

тАО07-03-2005 02:10 AM

Re: Apache Help

Thanks for your help everyone!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.