Secure Apache TRACE Vulnerabilities

From CobaltFAQs

Jump to: navigation, search

See http://www.kb.cert.org/vuls/id/867593 for more details. To test your server for vulnerability, in a shell session do

 telnet www.example.com 80

After the response

 Trying 12.34.56.78...
 Connected to www.example.com.
 Escape character is '^]'.

enter these commands:

 TRACE /index.html HTTP/1.1
 Host: www.example.com
 [CR]
 [CR] = Carriage Return, for a blank line to signify the end of the headers being sent

If your server is "vulnerable" you will get a response back similar to this one (status 200):

 HTTP/1.1 200 OK
 Date: Sat, 17 Dec 2005 23:51:29 GMT
 Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
 Connection: close
 Transfer-Encoding: chunked
 Content-Type: message/http
 30
 TRACE /index.html HTTP/1.1
 Host: www.example.com
 0
 Connection closed by foreign host.

This is "bad" because an attacker could get cookie or other information returned by using a carefully crafted request.

To protect your server, you must login as root and add this block of code to every VirtualHost container in /etc/httpd/conf/httpd.conf and /etc/httpd/conf/vhosts/site[1-n]:

 # Block TRACE/TRACK XSS vector
 RewriteEngine On
 RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
 RewriteRule .* - [F]

Then restart Apache

 /etc/rc.d/init.d/httpd reload

Once you do that, you can perform the same test and the reply will look different:

 HTTP/1.1 403 Forbidden
 Date: Sat, 17 Dec 2005 00:01:06 GMT
 Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
 Last-Modified: Fri, 11 Feb 2005 05:30:57 GMT
 ETag: "601d904-4dd-420c4311"
 Accept-Ranges: bytes
 Content-Length: 1245
 Content-Type: text/html
 
 ... HTML content snipped ...
Personal tools