apache TRACE/TRACK disable

mickalo · Nov 24, 2008

I've been informed that using Apache TRACE/TRACK method is can cause security issues. How does one disable this, couldn't find anything in the httpd.conf file referencing this. We running Apache 2.2.10 w/latest Stable Cpanel.

Thx's

Mike

nickp666 · Nov 25, 2008

mod_security will help in this instance, here is a rule that will do it

Code:

# deny TRACE method
SecRule REQUEST_METHOD "trac(?:e|k)" \
	"phase:1,t:lowercase,id:340002,rev:2,severity:2,msg:'TRACE/TRACK method denied'"

mickalo · Nov 25, 2008

thanks for the info, we'll add it to mod security rules.

Mike

Thread starter	Similar threads	Forum	Replies	Date
K	In Progress UPS-505 - AH10411 errors after Apache update (v2.4.56)	Web Servers and Applications	1	Yesterday at 3:45 AM
R	Apache Alias for all domains on the server - custom autodiscover file	Web Servers and Applications	1	Monday at 9:26 AM
P	Problem with rrd and imagick on EasyApache	Web Servers and Applications	4	Monday at 8:50 AM
K	Apache trace root of problem	Web Servers and Applications	7	Nov 28, 2006
S	can't trace frequent apache crash/automagic restart error	Web Servers and Applications	2	Apr 8, 2005

Search

Search

apache TRACE/TRACK disable

mickalo

Well-Known Member

nickp666

Well-Known Member

mickalo

Well-Known Member