THREAT
TRACE and TRACK are two HTTP methods used to debug web applications. These methods could be used by malicious users to perform Cross-site Tracing attacks which are used to bypass authentication token protections.
httpd server is vulnerable to TRACE requests and this needs to be remedied, We need to disallow http trace requests in Red Hat Enterprise Linux (RHEL)
RESOLUTION
We need to edit the httpd.conf file and add the line “TraceEnable off” to the httpd configuration and reload/restart httpd, doing this will cause httpd to respond to TRACE requests with a 405 status code error.
After disabling trace in httpd.conf file check the configuration file httpd.conf for errors.
/usr/sbin/httpd -t
and test from another server and you should get the output
You don’t have permission to access
Diagnostic Steps
To check if Trace is On/Off you can use Curl:
curl -v -X TRACE http://www.yourserver.com
To test how an http server responds to TRACE requests, use curl -X TRACE against a particular URL
For example, here a default RHEL 6 Apache httpd v2.2 config is tested:
Raw
~]# curl -X TRACE localhost
TRACE / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: localhost
Accept: */*
After adding TraceEnable off, here is how the same httpd server responds:
Raw
~]# echo TraceEnable off >>/etc/httpd/conf/httpd.conf
~]# service httpd reload
Reloading httpd:
~]# curl -X TRACE localhost
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at localhost Port 80</address>
</body></html>
To test https servers, explicitly preface the target URL with https://, e.g.:
Raw
curl -X TRACE https://localhost