The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The problem still persist

Discussion in 'Security' started by manishbathla, Mar 28, 2012.

  1. manishbathla

    manishbathla Member

    Mar 23, 2012
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner

    I bought a basic Linux web hosting. The configuration are cPanel Version 11.30.6 (build 3), Apache version 2.2.22, PHP version 5.2.17, MySQL version 5.1.61-rel13.2-log, Architecture x86_64, Operating system linux.

    I ran a security test on my web space and found the following security loop holes which I have been trying to get rid of for the past one week but was unable to.

    1. TRACE method is enabled which needs to be disabled. I did put something like this below in my htaccess file

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]

    and ran the security test but the problem still persist after adding the above mentioned on the .htaccess file.

    2. OPTIONS method is enabled and this needs to be disabled.

    I have a basic hosting plan and hence no access to WHM. Now the question is how do I disable the above mentioned options using .htaccess? Need help asap.

    Thanking you,
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Oct 2, 2010
    Likes Received:
    Trophy Points:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Manish,

    Is there a reason you haven't contacted your hosting provider for assistance to pass the scan? Most times, you are going to run into PCI compliance tests that require changes to the global server settings which you cannot perform. These really need to be taken up with your hosting provider.

    For example, the TRACE directive cannot be limited using the LIMIT directive nor is TraceEnable Off something that can be set in the .htaccess file (it's part of the httpd.conf file itself). You can review the discussions on the directives at this spot:

    core - Apache HTTP Server
    core - Apache HTTP Server

    As for OPTIONS, you can change it in .htaccess files:

    core - Apache HTTP Server

    Something like the following:

    Options None
    Of course, this will remove a slew of options. I'm uncertain if all options need removed or not.

Share This Page