# TRACE/TRACK Method Detected



## adripillo (Jul 18, 2013)

Hello, I executed security/nikto to test my server and I got this in the report:


```
Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
```

Does anyone know how to disable this? Thanks.


----------



## ShelLuser (Jul 18, 2013)

adripillo said:
			
		

> Does anyone know how to disable this? Thanks.


Why do you think it needs to be disabled?

The HTTP protocol has several methods which are being used to send or retrieve information (from the servers point of view), amongst which HEAD and GET, and these are actually considered to be safe methods.

So I think this either depends on context (related to the kind of scan you executed) or is simply an overview of your webserver capabilities.


----------



## Anonymous (Jul 18, 2013)

Under certain circumstances, the TRACE method can be exploited for a Cross Site Tracing attack, and in some flawed setups, the HEAD method can be utilized for HEAD access control bypass.

I consider the first a problem inherited by the design of the TRACE method, while the second problem is not really a problem of the HEAD method, but the utilized authentication implementation needs to be fixed.

So, I disabled TRACE on my apache web servers by adding the following directive to /usr/local/etc/apache2x/httpd.conf, and I am happily living with the HEAD method.


```
...
TraceEnable off
...
```


----------



## adripillo (Jul 18, 2013)

ShelLuser said:
			
		

> Why do you think it needs to be disabled?
> 
> The HTTP protocol has several methods which are being used to send or retrieve information (from the servers point of view), amongst which HEAD and GET, and these are actually considered to be safe methods.
> 
> So I think this either depends on context (related to the kind of scan you executed) or is simply an overview of your webserver capabilities.



So you mean that is ok?


----------



## adripillo (Jul 18, 2013)

rolfheinrich said:
			
		

> Under certain circumstances, the TRACE method can be exploited for a Cross Site Tracing attack, and in some flawed setups, the HEAD method can be utilized for HEAD access control bypass.
> 
> I consider the first a problem inherited by the design of the TRACE method, while the second problem is not really a problem of the HEAD method, but the utilized authentication implementation needs to be fixed.
> 
> ...



Thank you.


----------



## adripillo (Aug 3, 2013)

Hello, I was running a test on my server and found this "security fail". Does anyone know how to solve it?


----------



## adripillo (Aug 3, 2013)

adripillo said:
			
		

> Hello, I was running a test on my server and found this "security fail". Does anyone know how to solve it?



Solved by adding 
	
	



```
TraceEnable off
```


----------



## wblock@ (Aug 3, 2013)

Nearly zero details are present here.  What test was run, and how?  What file was modified?


----------



## adripillo (Aug 3, 2013)

wblock@ said:
			
		

> Nearly zero details are present here.  What test was run, and how?  What file was modified?



I really do not know the name of test, was executed from outside by a friend. The file that modify to add that entry is httpd.conf


----------



## kpa (Aug 3, 2013)

Sorry but what you have offered is zero use to anyone else. No details of what the problem was and no explanation how your "fix" actually helps.


----------



## wblock@ (Aug 3, 2013)

Wasn't that fixed back in this thread: Thread 40904?


----------



## adripillo (Aug 3, 2013)

wblock@ said:
			
		

> Wasn't that fixed back in this thread: Thread 40904?



Yes, it is the same fix. I need to look better next time.


----------



## DutchDaemon (Aug 3, 2013)

[ merged ]


----------

