HTTP TRACE / TRACK Methods Allowed is one of the vulnerabilities which haunts Apache server.
To remove this vulnerability,
1. Modify httpd.conf add the following lines at the end of the file.
#Added by Mithun Ashok to remove vulnerabilities
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
2. Restart Apache.
Following steps can be used for Oracle E-Biz Suite 11i in along with modifying httpd.conf.
In 11i, this vulnerability not only surfaces for http port but also for httpd_pls as well as oprocmgr port. Follow the steps below to remove HTTP Trace and Track for httpd_pls and oprocmgr port.
3. Modify httpd.conf,
First comment following line in httpd.conf,
AddModule mod_rewrite.c
and then add the same line,
AddModule mod_rewrite.c
before the line below,
include "$IAS_ORACLE_HOME/Apache/Apache/conf/oprocmgr.conf"
4. Modify oprocmgr.conf,
<Location /oprocmgr-service>
SetHandler oprocmgr-service
</Location>
<Location /oprocmgr-status>
SetHandler oprocmgr-status
</Location>
</VirtualHost>
</IfModule>
# End of oprocmgr directives.
to
<Location /oprocmgr-service>
SetHandler oprocmgr-service
</Location>
<Location /oprocmgr-status>
SetHandler oprocmgr-status
</Location>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
</IfModule>
# End of oprocmgr directives.
5. Modify httpd_pls.conf add the following lines at the end of the file.
#Added by Mithun Ashok to remove vulnerabilities
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
6. Modify httpd_pls.conf modify following section from,
<VirtualHost _default_:*>
<Location />
Order deny,allow
Deny from all
Allow from localhost
</Location>
</VirtualHost>
to
<VirtualHost _default_:*>
<Location />
Order deny,allow
Deny from all
Allow from localhost
</Location>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
7. Restart Apache.
Check, telnet xxx.com 80 ,
kma
HTTP/1.0 200 OK
Date: Fri, 20 Jul 2012 06:57:43 GMT
Server: Apache/2.2.15 (CentOS)
Connection: close
Content-Type: message/http
Link http://www.mithunashok.com/2012/05/http-trace-track-methods-allowed.html,
To remove this vulnerability,
1. Modify httpd.conf add the following lines at the end of the file.
#Added by Mithun Ashok to remove vulnerabilities
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
2. Restart Apache.
Following steps can be used for Oracle E-Biz Suite 11i in along with modifying httpd.conf.
In 11i, this vulnerability not only surfaces for http port but also for httpd_pls as well as oprocmgr port. Follow the steps below to remove HTTP Trace and Track for httpd_pls and oprocmgr port.
3. Modify httpd.conf,
First comment following line in httpd.conf,
AddModule mod_rewrite.c
and then add the same line,
AddModule mod_rewrite.c
before the line below,
include "$IAS_ORACLE_HOME/Apache/Apache/conf/oprocmgr.conf"
4. Modify oprocmgr.conf,
<Location /oprocmgr-service>
SetHandler oprocmgr-service
</Location>
<Location /oprocmgr-status>
SetHandler oprocmgr-status
</Location>
</VirtualHost>
</IfModule>
# End of oprocmgr directives.
to
<Location /oprocmgr-service>
SetHandler oprocmgr-service
</Location>
<Location /oprocmgr-status>
SetHandler oprocmgr-status
</Location>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
</IfModule>
# End of oprocmgr directives.
5. Modify httpd_pls.conf add the following lines at the end of the file.
#Added by Mithun Ashok to remove vulnerabilities
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
6. Modify httpd_pls.conf modify following section from,
<VirtualHost _default_:*>
<Location />
Order deny,allow
Deny from all
Allow from localhost
</Location>
</VirtualHost>
to
<VirtualHost _default_:*>
<Location />
Order deny,allow
Deny from all
Allow from localhost
</Location>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
7. Restart Apache.
Check, telnet xxx.com 80 ,
kma
HTTP/1.0 200 OK
Date: Fri, 20 Jul 2012 06:57:43 GMT
Server: Apache/2.2.15 (CentOS)
Connection: close
Content-Type: message/http
Link http://www.mithunashok.com/2012/05/http-trace-track-methods-allowed.html,