So even if TraceEnable is not in the httpconf file, by default it is off.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Nadir Amra
Sent: Tuesday, January 14, 2014 3:35 PM
To: Midrange Systems Technical Discussion
Subject: Re: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK methods

According to the InfoCenter directive reference, if not specified the default is

TraceEnable off


Nadir Amra

From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
Date: 01/14/2014 02:29 PM
Subject: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK
Sent by: midrange-l-bounces@xxxxxxxxxxxx

Security audit is requesting that these vulnerabilities be disabled.
Reviewing the httpd.conf config files, I see no evidence of TRACE and/or
TRACK, so I'm assuming these are on by default, and need to be disabled by
one of the suggested methods.
All of our HTTP instances are Apache 2.2.11(i5).
Am I correct that I need to re-visit every HTTP instance, adding one of
the two recommendations below.

To disable
TraceEnabled Off

# disable TRACE in the main scope of httpd.conf
RewriteEngine On
RewriteRule .* - [F]
# disable TRACE in the virtual host
RewriteEngine On
RewriteRule .* - [F]

mod_rewrite must be active for these directives to be accepted. If
mod_rewrite is not already active in your configuration:

Plugin Text: Synopsis: Debugging functions are enabled on the remote web
Description: The remote web server supports the TRACE and/or TRACK
methods. TRACE and TRACK are HTTP methods that are used to debug web
server connections.
Solution: Disable these methods. Refer to the plugin output for more
See Also:
Risk Factor: Medium
CVSS Base Score: 4.3
CVSS Temporal Score: 3.9
CVSS Temporal Vector: CVSS2#E:F/RL:W/RC:C
Plugin Output:
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
Nessus sent

Thank You
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home


This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page