?
Solved

TRACE / TRACK vulnerability testing

Posted on 2009-04-02
1
Medium Priority
?
1,989 Views
Last Modified: 2012-05-06
I have Apache httpd server (version 2.2.3) running and our security team has asked that we lock it down to  TRACE and TRACK vulnerabilities.   i have read that i can use "TraceEnable off" to turn it off, but how do i test before and after to see that it really is an issue and that it is fixed after i make the change?
how do i test it and what should i see as the result?
Also, we redirect all http traffic to https, so is this still an issue?

thanks in advance for you help.  
0
Comment
Question by:nohurt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 51

Accepted Solution

by:
ahoffmann earned 375 total points
ID: 24057840
> .. but how do i test
simply use telnet as follows

telnet your.server.tld 80
TRACE / HTTP/1.0


> .. what should i see
something like follows:

HTTP/1.1 200 OK
Date: Fri, 03 Apr 2009 00:42:42 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0


> Also, we redirect all http traffic to https, so is this still an issue?
yes
but if you disable TRACE then it should be disabled for both protocols.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question