Description: How to disable the HTTP TRACE method on recent apache versions.
Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.
Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:
telnet 127.0.0.1 80 Trying 127.0.0.1… Connected to 127.0.0.1. Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo Any text entered here will be echoed back in the response <- ENTER twice to finish HTTP/1.1 200 OK
Date: Wed, 10 Sep 2009 22:19:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http TRACE / HTTP/1.0
Host: foo Any text entered here will be echoed back in the response Connection closed by foreign host.
Traditionally experts will suggest to disable this using some rewrite rules like:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).
Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not: TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.
After setting this and reloading the apache config the same server as above shows:
telnet 127.0.0.1 80
Trying 127.0.0.1… Connected to 127.0.0.1.
Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo testing… <- ENTER twice HTTP/1.1 403 Forbidden
Date: Wed, 20 Sep 2009 22:28:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320 Connection: close
Content-Type: text/html;
charset=iso-8859-1
<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don’t have permission to access / on this server.</p>
<hr> <address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body>
</html>
Connection closed by foreign host.
Very nice site!
I bookmarked this link. Thank you for good job!
Excellent site. It was pleasant to me.
Perfect work!
Very interesting site. Hope it will always be alive!
Great site. Keep doing.
I want to say – thank you for this!
Great work,webmaster,nice design!
It is the coolest site, keep so!
Very cute :-))))
Great. Now i can say thank you!
Excellent site. It was pleasant to me.
Perfect work!
Very interesting site. Hope it will always be alive!
Great site. Keep doing.
I want to say – thank you for this!
It is the coolest site, keep so!
Great. Now i can say thank you!
If you have to do it, you might as well do it right.
I bookmarked this link. Thank you for good job!
Excellent site. It was pleasant to me.
Perfect work!
Very interesting site. Hope it will always be alive!
I want to say – thank you for this!
This is the welcome page for the dietguidance.us Association web site.
If you have to do it, you might as well do it right.
I bookmarked this link. Thank you for good job!
Excellent site. It was pleasant to me.
Perfect work!
Very interesting site. Hope it will always be alive!
Great site. Keep doing.
I want to say – thank you for this!
Great work,webmaster,nice design!
It is the coolest site, keep so!
Very cute :-))))
Great. Now i can say thank you!
I bookmarked this link. Thank you for good job!
Excellent site. It was pleasant to me.
Perfect work!
Very interesting site. Hope it will always be alive!
I want to say – thank you for this!
Great work,webmaster,nice design!
Very cute :-))))
Great. Now i can say thank you!
If you have to do it, you might as well do it right.
I bookmarked this link. Thank you for good job!
Excellent site. It was pleasant to me.
Perfect work!
Very interesting site. Hope it will always be alive!