Apache TRACK/TRACE

Namesniper

Verified User
Joined
Jan 5, 2007
Messages
103
Hello,

Can anyone please tell me how dangerous in fact Apache's TRACE and TRACK functions?
I have read common explanation but would disabling TRACK and TRACE improve my server's ability to fight cross site scripting and similar attacks and make it more secure?
 
It would, but it would also break RFC.
The TRACE/TRACK issue is a long lasting discussion between a few security experts (http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf) and the HTTP protocol RFC followers (like Roy T. Fielding, Apache Software Foundation co-founder, read http://ubuntuforums.org/showthread.php?t=292470).

Know this: TRACE and TRACK can help an attacker in some (very, very rare) cases where the browser already has a vulnerability, but that kind of vulnerability has not being found in any major browser for years.

I'd suggest disabling TRACE and TRACK if you run a very secure server (like an e-banking appliance), where you may have customers that use very old browsers and a stolen cookie can create serious issues... but before doing that I'd also suggest using one-time-passwords and many other application-specific protections to avoid any possible security breach...

If you just want average security, don't bother.
 
It's disabled by default only if you use CustomBuild to install Apache (which I strongly suggest) during the DA setup.

Namesniper said:
Is it possible to harden server the way so even if SHELL script get thru it wouldnt run and they wont be able to execute commands?
A PHP shell script is just a script that executes a few potentially dangerous functions -- disable those functions.
For example look at this post: http://www.directadmin.com/forum/showpost.php?p=145561&postcount=15
There are many different suggestions around the web, you could try some of them and see if all of your customers websites work fine.
 
It's disabled by default only if you use CustomBuild to install Apache (which I strongly suggest) during the DA setup.

I always use custombuild, never once have used customapache.

I see what it is in the static/default httpd.conf however what gets loaded when the the DA installer is done and you've run ./build is not what is in that file. track/trace are still enabled.

I have no problem w/ that, it's easy to disable. But for others it may not be so easy. I'm installing a new host on Monday (new licence, new server, etc) so I'll re-verify then as well but the last few machines I've done have it enabled by default.
 
It's disabled by default only if you use CustomBuild to install Apache (which I strongly suggest) during the DA setup.


A PHP shell script is just a script that executes a few potentially dangerous functions -- disable those functions.
For example look at this post: http://www.directadmin.com/forum/showpost.php?p=145561&postcount=15
There are many different suggestions around the web, you could try some of them and see if all of your customers websites work fine.
Is your guide ready now?
 
I don't understand why do you ask me that quoting a post that links to a post where I talk about another thread, dedicated to the subject... but anyway no, of course not :( when I'll finish it I'm going to update all threads.
 
Back
Top