[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#543577: apache2: `TraceEnable off` does not disable HTTP TRACE method.

Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: grave
Tags: security
Justification: user security hole

Adding `TraceEnable Off` to /etc/apache2/apache2.conf doest not disbable HTTP
TRACE on the server. 

I also tried enabling mod_rewrite and using that method to disable HTTP Trace
and that did not work either. The only software we are running on this server is
WeBWork, an online math homework system. More information about WeBWork is
avaliable at "http://webwork.math.rochester.edu/";. I don't know if it is what is
causing the problem, but due to the program being in heavy use at the moment, I
can't shut it down to see.

The following is my /etc/apache2/apache2.conf file:
   |  ServerRoot "/etc/apache2"
   |  LockFile /var/lock/apache2/accept.lock
   |  PidFile ${APACHE_PID_FILE}
   |  TraceEnable Off
   |  Timeout 1200
   |  KeepAlive On
   |  MaxKeepAliveRequests 100
   |  KeepAliveTimeout 15
   |  <IfModule mpm_prefork_module>
   |      StartServers          5
   |      MinSpareServers       5
   |      MaxSpareServers      10
   |      MaxClients           40
   |      MaxRequestsPerChild 100
   |  </IfModule>
   |  <IfModule mpm_worker_module>
   |      StartServers          2
   |      MaxClients          150
   |      MinSpareThreads      25
   |      MaxSpareThreads      75 
   |      ThreadsPerChild      25
   |      MaxRequestsPerChild   0
   |  </IfModule>
   |  User ${APACHE_RUN_USER}
   |  Group ${APACHE_RUN_GROUP}
   |  AccessFileName .htaccess
   |  <Files ~ "^\.ht">
   |      Order allow,deny
   |      Deny from all
   |  </Files>
   |  DefaultType text/plain
   |  HostnameLookups Off
   |  ErrorLog /var/log/apache2/error.log
   |  LogLevel warn
   |  Include /etc/apache2/mods-enabled/*.load
   |  Include /etc/apache2/mods-enabled/*.conf
   |  Include /etc/apache2/httpd.conf
   |  Include /etc/apache2/ports.conf
   |  Include /etc/apache2/conf.d/
   |  LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
   |  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
   |  LogFormat "%h %l %u %t \"%r\" %>s %b" common
   |  LogFormat "%{Referer}i -> %U" referer
   |  LogFormat "%{User-agent}i" agent
   |  ServerTokens Prod
   |  CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
   |  ServerSignature Off
   |  Include /etc/apache2/sites-enabled/

If you need any more information please email me: almendez@csupomona.edu

Thank you for your time!

~Anthony Mendez

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias apreq auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env info mime
  negotiation perl rewrite setenvif status

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny4 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny4      utility programs for webservers
ii  libapr1             1.2.12-5+lenny1      The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical Extraction 
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:    compression library - runtime

-- no debconf information

Reply to: