Index: [Article Count Order] [Thread]

Date:  Tue, 1 Apr 2008 16:57:39 -0400
From:  Jeremy Knope <jerome (at mark)>
Subject:  [coba-e:12402] Re: Apache vulnerability has customer in a panic
To:  coba-e (at mark)
Message-Id:  <F08A392A-E1FB-4B8A-883C-791EC3ACCE52 (at mark)>
In-Reply-To:  <47F263BF.7040901 (at mark)>
References:  <47F16FF1.6020700 (at mark)> < (at mark)> <47F1AD42.80800 (at mark)> < (at mark)> <47F263BF.7040901 (at mark)>
X-Mail-Count: 12402

On Apr 1, 2008, at 12:33 PM, Chris Gebhardt - VIRTBIZ Internet wrote:

> Michael Stauber wrote:
>>> Using this information, what I have done is to add this into the  
>>> end of
>>> the main httpd.conf and the admserv httpd.conf:
>>> # disable TRACE in the main scope of httpd.conf
>>> RewriteCond %{REQUEST_METHOD} ^TRACE
>>> RewriteRule .* - [F]
>>> #
>>> This would appear to make a difference, yes?
>> Correct. Or you could put these additions it into a separate conf  
>> file located in /etc/httpd/conf.d/ and /etc/admserv/conf.d/ . Like / 
>> etc/httpd/conf.d/trace.conf and /etc/admserv/conf.d/trace.conf for  
>> example.
> Ah, that may be a more efficient placement.  Thanks for the  
> suggestion!
> -- 
> Chris Gebhardt
> VIRTBIZ Internet Services
> Access, Web Hosting, Colocation, Dedicated
> | toll-free (866) 4 VIRTBIZ

I just tested this TRACE issue some more, and I'm coming up with 200  
OKs for some of the virtual hosts.  Will the only way to remedy this  
be to add this rule to EVERY virtual host?  I added this to /etc/httpd/ 
conf.d/trace_disable.conf and restart web server, but only 1 domain  
seems to be picking this up.

If I do have to do it for all vhosts, anybody know where the vhost  
config template is for when the UI creates a new vhost I can make it  
always happen?

  -- Jeremy

Jeremy Knope
Web Programmer
Rainstorm Consulting:
"Designing Strategies for Internet Success."
jerome (at mark)
Phone: 207-866-3908
Fax: 207-866-0297


12402_2.html (attatchment)(tag is disabled)