Apache 2.0 - Disabling the HTTP TRACE and TRACK methods

apache-http-server webserver http perl

Solution 1

According to the documentation http://httpd.apache.org/docs/2.0/mod/core.html#traceenable TraceEnable Off will only disable the HTTP TRACE method. It does nothing to the TRACK method.
See 1.
If your server is public, then you should probably disable these methods.

In addition: since you seem to be paranoid (which can be a good thing!), I would upgrade to a later version of Apache as the final release of 2.0 has been made and no new bugs -- including security holes will be fixed.

Solution 2

Case A: TRACE directive

Using the "traceEnable on" command in the httpd.conf file and running the following curl command:

SITE=http://www.server.my; curl $SITE -X TRACE

The response is:

TRACE / HTTP/1.1 User-Agent: curl/7.29.0 Host: http://www.server.my Accept: */*

In the other hand, if "traceEnable off" the previous curl command returns:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d DAV/2 Server at http://www.server.my Port 80</address>
</body></html>

which means that the TRACE enable directive is disabled. So, I think that the "traceEnable off" command is working properly.

Case B: TRACK directive

Using the "traceEnable on" command in the httpd.conf file and running the following curl command:

SITE=http://www.server.my; curl $SITE -X TRACK

The response is:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>TRACK to / not supported.<br />
</p>
<hr>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d DAV/2 Server at http://www.server.my Port 80</address>
</body></html>

Here is the conclusion of the previous testcase: 501 Method Not Implemented . If you send a TRACE request to Apache, it will return that this method is not implemented. So, I think that we don't need to worry... This is confirmed by the next test case.

If "traceEnable off" then the previous TRACK request returns the same "not implemented" message.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>TRACK to / not supported.<br />
</p>
<hr>
<address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d DAV/2 Server at http://www.server.my Port 80</address>
</body></html>

According to http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html, even though apache server does not support the TRACK method natively, it is possible for plug-in modules to provide support for it. To disable this capability for plug-in modules, in addition to disabling the TRACE method we may have to disable TRACK method using the Rewrite module.

But if you don't install a TRACK plug-in into Apache there are not security issues. Is this assumption valid?

Author by

Dequantus

Updated on September 18, 2022

Comments

Dequantus almost 2 years
I'm using this function to dynamically create a user chosen number of input-groups:
```
const tag = (tag, className, props = {}) => 
    Object.assign(document.createElement(tag), {className, ...props});
```
Everything works fine except when I make a call that has a hyphenated field in it like tag("div", "collapse", {id: "card" + cardCount, data-parent: "#parentList"}))

It gives me an error on the 'data-parent' attribute. I replaced it with ['data-parent'] and still got an error. How do I get this to work?
funk over 10 years

Hi! Thank you for your response! The server upgrade is not in my responsibilities, so I have to work on Apache 2.0. ;) Anyway, I can not understand the TRACK command's effect on Apache since TRACK method is a Microsoft command that Apache doesn't support. Do you have an idea?
Colin 't Hart over 10 years

No idea. I'm not sure if it works, but maybe you can use curl -X TRACK to test whether Apache even responds to TRACK at all without any config? See blogs.plexibus.com/2009/01/15/rest-esting-with-curl for info on using CURL to test other HTTP methods.
funk over 10 years

I like curl! :) Nice and usefull command! Thank you!
Colin 't Hart over 10 years

Please let us know your findings! I run a few public Apache servers and am considering locking them down further. For example, I only enable the modules I really need (which is only about 6 or 7).
Colin 't Hart over 10 years

Yes: if you don't install (m)any modules you limit Apache's capabilities. Thoroughly check the documentation of the modules that you do install.
Michael Cordingley almost 7 years

This is significantly belated, but Apache/2.4.6 (CentOS) reports 501 - Not Implemented when I curl -X TRACK it.
Dequantus over 3 years

I also tried that earlier, it doesn't give any errors but it doesn't assign the attribute to the div.
Vitalii over 3 years

Updated the answer. Object.assign is used for objects but you are dealing with DOM element and as far as I know the only way to set data attribute is via setAttribute call.