Skip to main content

HTTP TRACE / TRACK Methods Allowed Vulnerability

HTTP TRACE / TRACK Methods Allowed is one of the vulnerabilities which haunts Apache server.

To remove this vulnerability,

1. Modify httpd.conf add the following lines at the end of the file.

#Added by Mithun Ashok to remove vulnerabilities
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

2. Restart Apache.

Following steps can be used for Oracle E-Biz Suite 11i in along with modifying httpd.conf.


In 11i, this vulnerability not only surfaces for http port but also for httpd_pls as well as oprocmgr port. Follow the steps below to remove HTTP Trace and Track for httpd_pls and oprocmgr port.


3. Modify httpd.conf,

First comment following line in httpd.conf,

AddModule mod_rewrite.c
and then add the same line,

AddModule mod_rewrite.c
before the line below,



include "$IAS_ORACLE_HOME/Apache/Apache/conf/oprocmgr.conf"


4. Modify oprocmgr.conf,

 <Location /oprocmgr-service>
       SetHandler oprocmgr-service
     </Location>
     <Location /oprocmgr-status>
       SetHandler oprocmgr-status
     </Location>
   </VirtualHost>
</IfModule>
# End of oprocmgr directives.


to


 <Location /oprocmgr-service>
       SetHandler oprocmgr-service
     </Location>
     <Location /oprocmgr-status>
       SetHandler oprocmgr-status
     </Location>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
   </VirtualHost>
</IfModule>
# End of oprocmgr directives.


5. Modify httpd_pls.conf add the following lines at the end of the file.

#Added by Mithun Ashok to remove vulnerabilities
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


6. Modify httpd_pls.conf modify following section from,

<VirtualHost _default_:*>
  <Location />
    Order deny,allow
    Deny from all
    Allow from localhost
  </Location>
</VirtualHost>

to

<VirtualHost _default_:*>
  <Location />
    Order deny,allow
    Deny from all
    Allow from localhost
  </Location>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>

6. Restart Apache.

Labels:

Comments

Post a Comment

Popular posts from this blog

Basics of RDBMS

Data Small set of information becomes data, this set of information helps make decision. Data is always some useful information. Database Place where you store the data. Database represents some aspect of the real world called "miniworld". A database is designed, built and populated with data for a specific purpose. It has intended group of users and some preconceived applications in which these users are interested. In other words, a database has some source from which data is derived, some degree of interaction with events in the real world and an audience that is actively interested in the contents of the database. Database can also be defined as collection of one or more tables. Ex: Mobile, human brain etc DBMS (Database Management System ) Is a program that stores retrieves and modifies data in the database on request. Study of different techniques of design, development and maintenance of the database Types of DBMS These types are based upon their m...
101 comments
Read more

Installing Oracle 10g Database

Once you have downloaded the software from www.oracle.com/downloads , following steps can be used to install the software. 1. Unzip the dump downloaded from oracle.com 2. Once Unzipped, click on setup.exe to run Oracle Universal Installer Program. This will open a window as shown below.
60 comments
Read more