Anthony Mendez
2009-Aug-25 21:15 UTC
[Secure-testing-team] Bug#543577: apache2: `TraceEnable off` does not disable HTTP TRACE method.
Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: grave
Tags: security
Justification: user security hole
Adding `TraceEnable Off` to /etc/apache2/apache2.conf doest not disbable HTTP
TRACE on the server.
I also tried enabling mod_rewrite and using that method to disable HTTP Trace
and that did not work either. The only software we are running on this server is
WeBWork, an online math homework system. More information about WeBWork is
avaliable at "http://webwork.math.rochester.edu/". I don''t
know if it is what is
causing the problem, but due to the program being in heavy use at the moment, I
can''t shut it down to see.
The following is my /etc/apache2/apache2.conf file:
| ServerRoot "/etc/apache2"
| LockFile /var/lock/apache2/accept.lock
|
| PidFile ${APACHE_PID_FILE}
|
| TraceEnable Off
|
| Timeout 1200
| KeepAlive On
| MaxKeepAliveRequests 100
| KeepAliveTimeout 15
|
| <IfModule mpm_prefork_module>
| StartServers 5
| MinSpareServers 5
| MaxSpareServers 10
| MaxClients 40
| MaxRequestsPerChild 100
| </IfModule>
|
| <IfModule mpm_worker_module>
| StartServers 2
| MaxClients 150
| MinSpareThreads 25
| MaxSpareThreads 75
| ThreadsPerChild 25
| MaxRequestsPerChild 0
| </IfModule>
|
| User ${APACHE_RUN_USER}
| Group ${APACHE_RUN_GROUP}
|
| AccessFileName .htaccess
|
| <Files ~ "^\.ht">
| Order allow,deny
| Deny from all
| </Files>
|
| DefaultType text/plain
| HostnameLookups Off
| ErrorLog /var/log/apache2/error.log
| LogLevel warn
|
| Include /etc/apache2/mods-enabled/*.load
| Include /etc/apache2/mods-enabled/*.conf
| Include /etc/apache2/httpd.conf
| Include /etc/apache2/ports.conf
| Include /etc/apache2/conf.d/
|
| LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
| LogFormat "%h %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" combined
| LogFormat "%h %l %u %t \"%r\" %>s %b" common
| LogFormat "%{Referer}i -> %U" referer
| LogFormat "%{User-agent}i" agent
|
| ServerTokens Prod
| CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
| ServerSignature Off
|
| Include /etc/apache2/sites-enabled/
If you need any more information please email me: almendez at csupomona.edu
Thank you for your time!
~Anthony Mendez
-- Package-specific info:
List of enabled modules from ''apache2 -M'':
alias apreq auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env info mime
negotiation perl rewrite setenvif status
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (500, ''stable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.9-10+lenny4 Apache HTTP Server - traditional n
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny4 utility programs for webservers
ii libapr1 1.2.12-5+lenny1 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination library us
ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files
''mime.types'' & ''mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19 Larry Wall''s Practical
Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
-- no debconf information