Security audit is requesting that these vulnerabilities be disabled.
Reviewing the httpd.conf config files, I see no evidence of TRACE and/or TRACK, so I'm assuming these are on by default, and need to be disabled by one of the suggested methods.
All of our HTTP instances are Apache 2.2.11(i5).
Am I correct that I need to re-visit every HTTP instance, adding one of the two recommendations below.

To disable
TraceEnabled Off

# disable TRACE in the main scope of httpd.conf
RewriteEngine On
RewriteRule .* - [F]
# disable TRACE in the virtual host
RewriteEngine On
RewriteRule .* - [F]

mod_rewrite must be active for these directives to be accepted. If mod_rewrite is not already active in your configuration:

Plugin Text: Synopsis: Debugging functions are enabled on the remote web server.
Description: The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web
server connections.
Solution: Disable these methods. Refer to the plugin output for more information.
See Also:
Risk Factor: Medium
CVSS Base Score: 4.3
CVSS Temporal Score: 3.9
CVSS Temporal Vector: CVSS2#E:F/RL:W/RC:C
Plugin Output:
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
Nessus sent

Thank You
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home


This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page