Apache TraceEnable on
Jim Tarvid
tarvid at ls.net
Thu Aug 5 16:08:35 UTC 2010
I think you are correct.
root at helen:/etc# telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 05 Aug 2010 16:06:13 GMT
Server: Apache/2.2.12 (Ubuntu) mod_ssl/2.2.12 OpenSSL/0.9.8g
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Connection closed by foreign host.
The false positive alarms the credit care security scanners.
On Thu, Aug 5, 2010 at 10:48 AM, Joe McDonagh
<joseph.e.mcdonagh at gmail.com>wrote:
> On 08/04/2010 09:34 AM, Jim Tarvid wrote:
>
>> + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
>> + OSVDB-877: HTTP TRACE method is active, suggesting the host is
>> vulnerable to XST
>>
>> /etc/apache2/apache2.conf has
>> Include /etc/apache2/conf.d/ which has
>> security.dpkg-dist which has
>> TraceEnable Off
>>
>> but TRACE is on
>>
>> and why should OPTIONS be on too?
>>
>> --
>> Rev. Jim Tarvid, PCA
>> Galax, Virginia
>> http://ls.net
>>
>> I don't think TRACE is actually on, even though it says it is.
>
>
> --
> --
> Joe McDonagh
> Operations Engineer
> AIM: YoosingYoonickz
> IRC: joe-mac on freenode
> "When the going gets weird, the weird turn pro."
>
>
--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20100805/2de9de76/attachment.html>
More information about the ubuntu-server
mailing list