• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Disabling the TRACE method natively via the 'TraceEnable' directive

R

rong

Guest
I am new to this, so please bear with me. To become PCI compliant I need to disabling the TRACE method natively via the 'TraceEnable' directive. Have tried the following:

File: /etc/httpd/conf/httpd.conf
Add Line at End: TraceEnable off

Restart Apache.

/etc/init.d/httpd restart

And it is still failing the text, I also put in the domain's vhost.conf

Here is what SecurityMetrics says:
Solution: Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : The server response from a TRACE request is : TRACE /SMetrics513528519.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Charset: iso-8859-1,*,utf-8 Accept-Language: en Connection: Close Host: www.mkt-place.com Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U Smetrics ) CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726

Any suggestions or ideas?
 
If you have set TraceEnable Off in your config (and restarted apache!), this is a false positive from the scanner (most likely nessus). This type of automated vulnerability scanning has always been highly inaccurate. To verify if TRACE really has been disabled, try the following from the server:

telnet localhost 80

TRACE / HTTP/1.0
Host: domain.com
A: test1
C: test2

If the server returns a 403 error, then TRACE has been disabled. If you get a 200 error code, then it has not.
 
Disabled on port 80 - but...

It does show disabled on port 80, but the PCI compliance testers are requireing it to be disabled on port 8443 also. Sorry, I didn't state that in the orignal post.

How would I turn if off on the port 8443 is the real question?
 
You will need to disable the trace in the psa config files. /usr/local/psa/admin/conf

has the config files for plesk.
 
That isn't going to work on the plesk daemon unfortunately, the version of apache being used (1.3.33 I think) doesn't support the TraceEnable flag. You'll have to do the mod_rewrite method instead.
 
I am running the Plesk version psa v8.3.0_build83080131.20 os_FedoraCore 6

I had entered the TraceEnable off into httpsd.custom.include a short time ago. Then this morning I received the following.
------------------------
Processing config file: /usr/local/psa/admin/conf/httpsd.custom.include
Syntax error on line 19 of /usr/local/psa/admin/conf/httpsd.custom.include:
Invalid command 'TraceEnable', perhaps mis-spelled or defined by a module not included in the server configuration fatal error: Plesk graceful restart failed
-----------------------------

Now I have gone in and removed it and did a restart.

I am a BIG TIME NOVICE at this, what is a "mod_rewrite method" and to what file is it done?
 
Well, I guess that this problem is no longer relevent. I did the upgrade to Plesk 8.4 today and ran the PCI Compliance check and it nolonger found the problem. So it must have been one of the fixes!!

But now I need to go over to the Plesk 8.4 area and find out how to upgrade the PHP 5.1.6-3.7.fc6 to PHP 5.2.5 or higher.

Thanks for all the help!!
 
You must log in or register to reply here.

Similar threads

D
How do I turn off TRACK and TRACE HTTP please.
Replies
2
Views
5K
Dave-Brown
D
Back
Top