Disable Track and Trace in Apache

TraceEnable off
is available in Apache 1.3.34, 2.0.55 and later

Otherwise you will need to add:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
RewriteRule .* – [F]

to a /etc/httpd/conf.d/zz_020_disable_track_trace.conf
and possibly to the individual vhost.conf’s

For tomcat
simply edit $TOMCAT/conf/server.xml, and for the <connector> element, add an attribute: allowTrace=”false”. Restart Tomcat and enjoy.

To Test:

telnet www.example.com 80

After the response

Trying 12.34.56.78…
Connected to www.example.com.
Escape character is ‘^]’.

enter these commands:

TRACE /index.html HTTP/1.1
Host: www.example.com
[CR]

[CR] = Carriage Return, for a blank line to signify the end of the headers being sent

If your server is “vulnerable” you will get a response back similar to this one (status 200):

HTTP/1.1 200 OK
Date: Sat, 17 Dec 2005 23:51:29 GMT
Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

30
TRACE /index.html HTTP/1.1
Host: www.example.com

0

Connection closed by foreign host.

Once it has been fixed you should get a forbidden error:

HTTP/1.1 403 Forbidden
Date: Sat, 17 Dec 2005 00:01:06 GMT
Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
Last-Modified: Fri, 11 Feb 2005 05:30:57 GMT
ETag: “601d904-4dd-420c4311″
Accept-Ranges: bytes
Content-Length: 1245
Content-Type: text/html

… HTML content snipped …

You can leave a response, or trackback from your own site.

Leave a Reply