Saturday, January 30, 2010

disabling TRACK and TRACE

Testing our web servers with the OpenVAS tool (fork of Nessus) at hackertarget.com, it pointed out that TRACK/TRACE need to be disabled. On IIS, it turned out that actually TRACK and TRACE are disabled, verified with telnet as given here.

telnet media.radiosai.org 80
Trying 66.249.27.178...
Connected to media.radiosai.org.
Escape character is '^]'.
TRACK / HTTP/1.0
Host: foo
A: b
C: d

HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Sat, 30 Jan 2010 04:30:44 GMT
Connection: close

telnet media.radiosai.org 80
Trying 66.249.27.178...
Connected to media.radiosai.org.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
C: d

HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Sat, 30 Jan 2010 04:30:44 GMT
Connection: close


On krishna, had to disable TRACE - for doing this, googled a bit, finally howtoforge showed the simple way of just adding
TraceEnable Off
to /etc/apache2/apache2.conf and restarting the web server.

PS. Initially I had tried with the code for re-write as given at many places, like here
# disable TRACE and TRACK in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]

But this did not seem to work. For enabling mod rewrite, had to do sudo a2enmod rewrite as given here.

No comments:

Post a Comment