By default, Apache 2.0.52 will respond to any HTTP TRACE request it receives. This is a potential security issue because it allows you to resolve certain types of XSS attacks. For more details see http://www.apacheweek.com/issues/03-01-24#news
I am trying to disable TRACE requests by following the instructions given on the page above. I added the following lines of code to the http.conf file and restarted apache:
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
However, when I submit the TRACE request to my web server, it seems to ignore the rewrite rules and respond as if the TRACE requests were still enabled.
For instance:
[ admin2@dedicated ~]$ telnet XXXX.com 80 Trying XXXX... Connected to XXXX.com (XXXX). Escape character is '^]'. TRACE / HTTP/1.0 X-Test: foobar HTTP/1.1 200 OK Date: Sat, 11 Jul 2009 17:33:41 GMT Server: Apache/2.0.52 (Red Hat) Connection: close Content-Type: message/http TRACE / HTTP/1.0 X-Test: foobar Connection closed by foreign host.
The server should respond with 403 Forbidden. Instead, it repeats my request with 200 OK.
As a test, I changed RewriteCond to% {REQUEST_METHOD} ^ GET
When I do this, Apache correctly answers all GET requests with the forbidden 403. But when I change the GET back to TRACE, it still skips the TRACE requests.
How can I make Apache stop responding to TRACE requests?
Gdere
source share