TRACE/TRACK Method Detected

adripillo · Jul 18, 2013

Hello, I executed security/nikto to test my server and I got this in the report:

Code:

Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

Does anyone know how to disable this? Thanks.

ShelLuser · Jul 18, 2013

adripillo said:
Does anyone know how to disable this? Thanks.

Why do you think it needs to be disabled?

The HTTP protocol has several methods which are being used to send or retrieve information (from the servers point of view), amongst which HEAD and GET, and these are actually considered to be safe methods.

So I think this either depends on context (related to the kind of scan you executed) or is simply an overview of your webserver capabilities.

Anonymous · Jul 18, 2013

Under certain circumstances, the TRACE method can be exploited for a Cross Site Tracing attack, and in some flawed setups, the HEAD method can be utilized for HEAD access control bypass.

I consider the first a problem inherited by the design of the TRACE method, while the second problem is not really a problem of the HEAD method, but the utilized authentication implementation needs to be fixed.

So, I disabled TRACE on my apache web servers by adding the following directive to /usr/local/etc/apache2x/httpd.conf, and I am happily living with the HEAD method.

Code:

...
TraceEnable off
...

adripillo · Jul 18, 2013

ShelLuser said:
Why do you think it needs to be disabled?

The HTTP protocol has several methods which are being used to send or retrieve information (from the servers point of view), amongst which HEAD and GET, and these are actually considered to be safe methods.

So I think this either depends on context (related to the kind of scan you executed) or is simply an overview of your webserver capabilities.

So you mean that is ok?

adripillo · Jul 18, 2013

rolfheinrich said:
Under certain circumstances, the TRACE method can be exploited for a Cross Site Tracing attack, and in some flawed setups, the HEAD method can be utilized for HEAD access control bypass.

I consider the first a problem inherited by the design of the TRACE method, while the second problem is not really a problem of the HEAD method, but the utilized authentication implementation needs to be fixed.

So, I disabled TRACE on my apache web servers by adding the following directive to /usr/local/etc/apache2x/httpd.conf, and I am happily living with the HEAD method.

Code:

... TraceEnable off ...

Thank you.

adripillo · Aug 3, 2013

Hello, I was running a test on my server and found this "security fail". Does anyone know how to solve it?

adripillo · Aug 3, 2013

adripillo said:
Hello, I was running a test on my server and found this "security fail". Does anyone know how to solve it?

Solved by adding

Code:

TraceEnable off

wblock@ · Aug 3, 2013

Nearly zero details are present here. What test was run, and how? What file was modified?

adripillo · Aug 3, 2013

wblock@ said:
Nearly zero details are present here. What test was run, and how? What file was modified?

I really do not know the name of test, was executed from outside by a friend. The file that modify to add that entry is httpd.conf

kpa · Aug 3, 2013

Sorry but what you have offered is zero use to anyone else. No details of what the problem was and no explanation how your "fix" actually helps.

wblock@ · Aug 3, 2013

Wasn't that fixed back in this thread: Thread 40904?

adripillo · Aug 3, 2013

wblock@ said:
Wasn't that fixed back in this thread: Thread 40904?

Yes, it is the same fix. I need to look better next time.

DutchDaemon · Aug 3, 2013

[ merged ]

TRACE/TRACK Method Detected

adripillo

ShelLuser

Anonymous

Guest

adripillo

adripillo

adripillo

adripillo

wblock@

adripillo

kpa

wblock@

adripillo

DutchDaemon

Administrator