Support Home Communities Home   Search Today's Posts Mark Forums Read

 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 03-Apr-2003, 03:17 PM
Wade Preston
NNTP User
  
Posts: n/a
Default vulnerability scan - http trace enabled
Someone from our corporate office ran a vulnerability scan on our webservers and sent me the reports so that I could correct the problems
with
our web servers to protect us against hacker attacks. One of the
things
listed on the report was HTTP Trace enabled. This was on our NW6
server
that runs Apache 1.3.26(we have two instances on this server, one forifolder and another just a web server). I asked him how I can correct
this
problem and this is what he sent me:

First, we enabled the 'rewrite engine' through the apache config file(httpd.conf). This entailed uncommenting the section that loads the
module. Then, per instructions from CERT, we used the Apache
mod_rewrite
module to deny HTTP TRACE requests. TRACE requests can be disabled
with the
following mod_rewrite syntax (in httpd.conf)
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

After reading this I went to the httpd.conf and uncommented the line
that
says:

LoadModule rewrite_module modules/rewrite.nlm

Then at the bottom of the httpd.conf I added the following:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I made these changes to both httpd.conf files, the one in
sys:\apache\conf
and the one in sys:\apache\ifolder\server. Then I issued the commands
to
stop the servers and restart them: stopifolder, nvxadmdn, nvxadmup,
startifolder. In that order. I saw on the ifolder startup that the
rewrite
module was then started. I was not sure for the web server though.

I then asked our guy at the corporate office how I can test to make
sure my
changed worked. He said to do the following:

1.) Telnet to the server on port 80.(for example, "telnet 12.40.84.40
80")
2.) Issue the trace command. This should be "TRACE / HTTP/1.0" and hit
enter
twice.
3.) You should receive a response from the web server. If you get a
200
series message, the server is vulnerable. If you receive a 400 seriesmessage, the server is secure. I would also test a get message just to

validate the testing ("GET / HTTP/1.0"). With this command, you should
get
the default web page returned.

When I did step two, I receive a 200 series message, which he says
means the
server is still vulnerable. When I did the GET / HTTP/1.0 command, I
then
received the default web page as he says.

Does anyone know anything about this? What could I be doing wrong?
What
should I do differently? Any help would be greatly appreciated.
Thank you
for your help!

--
Wade Preston
Baldwin Filters





Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -6. The time now is 06:24 AM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

Search Engine Friendly URLs by vBSEO 3.3.0 RC2