• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Disabling the TRACE method natively via the 'TraceEnable' directive

R

rong

Guest
I am new to this, so please bear with me. To become PCI compliant I need to disabling the TRACE method natively via the 'TraceEnable' directive. Have tried the following:

File: /etc/httpd/conf/httpd.conf
Add Line at End: TraceEnable off

Restart Apache.

/etc/init.d/httpd restart

And it is still failing the text, I also put in the domain's vhost.conf

Here is what SecurityMetrics says:
Solution: Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : The server response from a TRACE request is : TRACE /SMetrics513528519.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Charset: iso-8859-1,*,utf-8 Accept-Language: en Connection: Close Host: www.mkt-place.com Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U Smetrics ) CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726

Any suggestions or ideas?
 
If you have set TraceEnable Off in your config (and restarted apache!), this is a false positive from the scanner (most likely nessus). This type of automated vulnerability scanning has always been highly inaccurate. To verify if TRACE really has been disabled, try the following from the server:

telnet localhost 80

TRACE / HTTP/1.0
Host: domain.com
A: test1
C: test2

If the server returns a 403 error, then TRACE has been disabled. If you get a 200 error code, then it has not.
 
Disabled on port 80 - but...

It does show disabled on port 80, but the PCI compliance testers are requireing it to be disabled on port 8443 also. Sorry, I didn't state that in the orignal post.

How would I turn if off on the port 8443 is the real question?
 
You will need to disable the trace in the psa config files. /usr/local/psa/admin/conf

has the config files for plesk.
 
That isn't going to work on the plesk daemon unfortunately, the version of apache being used (1.3.33 I think) doesn't support the TraceEnable flag. You'll have to do the mod_rewrite method instead.
 
I am running the Plesk version psa v8.3.0_build83080131.20 os_FedoraCore 6

I had entered the TraceEnable off into httpsd.custom.include a short time ago. Then this morning I received the following.
------------------------
Processing config file: /usr/local/psa/admin/conf/httpsd.custom.include
Syntax error on line 19 of /usr/local/psa/admin/conf/httpsd.custom.include:
Invalid command 'TraceEnable', perhaps mis-spelled or defined by a module not included in the server configuration fatal error: Plesk graceful restart failed
-----------------------------

Now I have gone in and removed it and did a restart.

I am a BIG TIME NOVICE at this, what is a "mod_rewrite method" and to what file is it done?
 
Well, I guess that this problem is no longer relevent. I did the upgrade to Plesk 8.4 today and ran the PCI Compliance check and it nolonger found the problem. So it must have been one of the fixes!!

But now I need to go over to the Plesk 8.4 area and find out how to upgrade the PHP 5.1.6-3.7.fc6 to PHP 5.2.5 or higher.

Thanks for all the help!!
 
You must log in or register to reply here.

Similar threads

D
How do I turn off TRACK and TRACE HTTP please.
Replies
2
Views
5K
Dave-Brown
D
Back
Top