Disabling HTTP TRACE

The HTTP TRACE Method is a debugging tool in Apache that just echo’s back what was sent to it. Attackers could potentially use this to trick a browser into revealing cookies or other request details from the domain with HTTP TRACE enabled. See http://www.apacheweek.com/issues/03-01-24#news for more info

Here is a sample HTTP TRACE session through telnet

[root@wwwa ~]# telnet 11.22.33.44 80
Trying 11.22.33.44...
Connected to mywebsite.com (11.22.33.44).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: www.mywebsite.com
X-Header: testing

HTTP/1.1 200 OK
Date: Thu, 29 Nov 2007 15:25:59 GMT
Server: Apache/2.2.6 (Unix)
Transfer-Encoding: chunked
Content-Type: message/http

42
TRACE / HTTP/1.1
Host: www.mywebsite.com
X-Header: testing

Disabling this is easy enough. Just add this to your Apache configuration:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* http://www.campusbooks.com/ [R]

Leave a Reply

Your email address will not be published.