Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TraceEnable #59

Closed
mathiasbynens opened this issue Feb 10, 2015 · 9 comments
Closed

Add TraceEnable #59

mathiasbynens opened this issue Feb 10, 2015 · 9 comments
Labels
enhancement New feature or request help wanted Extra attention is needed
Milestone

Comments

@mathiasbynens
Copy link
Member

This is what the default /etc/apache2/conf.d/security file says:

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
#
TraceEnable Off
#TraceEnable On

https://httpd.apache.org/docs/2.2/mod/core.html#traceenable

It wouldn’t hurt to add TraceEnable off to the config (overriding the default value on).

@efes0
Copy link

efes0 commented Feb 13, 2015

last i heard to be pci compliant you need to set TraceEnable off

for some reason we also had to set the following

RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* <96> [F]

@AD7six AD7six added the enhancement New feature or request label Feb 23, 2015
@AD7six
Copy link
Member

AD7six commented Feb 23, 2015

👍

@alrra
Copy link
Member

alrra commented Mar 2, 2015

From https://httpd.apache.org/docs/current/mod/core.html#TraceEnable

Despite claims to the contrary, TRACE is not a security vulnerability and there is no viable reason for it to be disabled. Doing so necessarily makes your server non-compliant.

@mathiasbynens Can you provide more details on why this should be done? Thanks!

@efes0
Copy link

efes0 commented Mar 2, 2015

this is a bit old but if it still holds true...

https://bugzilla.redhat.com/show_bug.cgi?id=463940

http://www.apacheweek.com/issues/03-01-24#news

@mathiasbynens
Copy link
Member Author

As the docs say:

The default TraceEnable on permits TRACE requests per RFC 2616, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

There is no reason to allow TRACE HTTP requests on a production website.

From https://httpd.apache.org/docs/current/mod/core.html#TraceEnable

Despite claims to the contrary, TRACE is not a security vulnerability and there is no viable reason for it to be disabled. Doing so necessarily makes your server non-compliant.

Note that per RFC 2616, support for HTTP TRACE is OPTIONAL: http://tools.ietf.org/html/rfc2616#section-5.1.1 So it is perfectly compliant to disable it.

@alrra
Copy link
Member

alrra commented Mar 3, 2015

@efes0, @mathiasbynens Thanks for your comments!

@ryran
Copy link

ryran commented Jun 28, 2016

For the record (and for future search-engine users stumbling across this), the original HTTP/1.1 RFC2616 mentioned above by @mathiasbynens was superceded in 2014 by a collection of updated HTTP/1.1 RFCs.

That said, his point about TRACE being optional still holds of course. Here's the updated link and verbiage -- i.e., from RFC7231's Overview of Methods:

This specification defines a number of standardized methods that are
commonly used in HTTP, as outlined by the following table.
...
All general-purpose servers MUST support the methods GET and HEAD.
All other methods are OPTIONAL.

@XhmikosR XhmikosR changed the title Add `TraceEnabled Add TraceEnable Sep 1, 2017
@XhmikosR
Copy link
Member

XhmikosR commented Sep 1, 2017

Can someone make a PR?

@LeoColomb LeoColomb added the help wanted Extra attention is needed label Apr 5, 2018
@LeoColomb LeoColomb added this to the v4.0.0 milestone Apr 14, 2018
@Malvoz
Copy link
Contributor

Malvoz commented Nov 23, 2018

The OWASP documentation on:

Cross-Site Tracing (XST) suggests that:

Modern browsers now prevent TRACE requests being made via JavaScript, however, other ways of sending TRACE requests with browsers have been discovered, such as using Java.

In Test HTTP methods:

HTTP offers a number of methods that can be used to perform actions on the web server. Many of theses methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured.

... methods that should be disabled are the following:

PUT: ... An attacker can exploit it by uploading malicious files.

DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a DoS attack.

CONNECT: This method could allow a client to use the web server as a proxy.

TRACE: ... This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing.

And in Testing for HTTP Verb Tampering:

As long as the web application being tested does not specifically call for any non-standard HTTP methods, testing for HTTP verb tampering is quite simple. If the server accepts a request other than GET or POST, the test fails. The solutions is to disable all non GET or POST functionality within the web application server, or in a web application firewall.

This issue is focusing solely on TRACE, however if methods other than GET and POST are deemed safe to disallow entirely: Just send a 405 Method Not Allowed for everything else?

E.g:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST) [NC]
RewriteRule .* - [R=405,L]

LeoColomb added a commit that referenced this issue Nov 24, 2018
LeoColomb added a commit that referenced this issue Nov 24, 2018
LeoColomb added a commit that referenced this issue Aug 7, 2019
LeoColomb added a commit that referenced this issue Aug 7, 2019
LeoColomb added a commit that referenced this issue Jan 3, 2020
LeoColomb added a commit that referenced this issue Jan 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

8 participants