Apache

Disable HTTP TRACE Method in Apache

by Santosh Prasad

Most of time vulnerability scanners complains about the TRACE method has been enabled your your web server.
By default it is enabled in Apache. If you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.

You will get the some output from telnet like below:

# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: looklinux
Any text entered here will be echoed back in the response <- ENTER twice to finish

HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: looklinux
Any text entered here will be echoed back in the response
Connection closed by foreign host.

It is recommended to disable this using rewrite rules in .htaccess file like below:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

You can also put above lines in your apache config file.

In Apache version 2.0.55+ for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not.

TraceEnable off

You will need to add in the main server config file and default is enabled (on). You will get the 403 Forbidden error if you do TraceEnable off.

After adding the above line relaod the apache service to apply changes.

# server httpd reload

Now do the telnet again and you will get the some output like below:

#telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: looklinux
test...  <- ENTER twice

HTTP/1.1 403 Forbidden
Date: Sat, 20 Oct 2007 20:38:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body></html>
Connection closed by foreign host.

Now above you can see the HTTP/1.1 403 Forbidden in the output.

Thank you! for visiting LookLinux.

If you find this tutorial helpful please share with your friends to keep it alive. For more helpful topic browse my website www.looklinux.com. To become an author at LookLinux Submit Article. Stay connected to Facebook.

You may also like

About the author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

View all posts

Leave a Comment