Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-121679

Disable TRACE by default for httpd

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-8.10, rhel-9.6, rhel-10.0
    • httpd
    • None
    • None
    • Low
    • rhel-stacks-web-servers
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Security scanners report TRACE/TRACK enabled and identify it as a possible security issue. RHEL should disable TRACE/TRACK by default.

      What is the impact of this issue to you?

      Nessus, Qualys, and others flagging a security flaw.

      https://owasp.org/www-community/attacks/Cross_Site_Tracing

      Please provide the package NVR for which the bug is seen:

      httpd (all versions)

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install httpd
      2. curl -X TRACE 127.0.0.1

      Expected results

      405 Method not allowed

      Actual results

      TRACE / HTTP/1.1
      Host: 127.0.0.1
      User-Agent: curl/8.9.1
      Accept: /

      Additional Information

      This is being done by numerous projects piecemeal, but would be better done by the httpd project. See https://issues.redhat.com/browse/RHEL-59772, https://issues.redhat.com/browse/OSPRH-14672, https://issues.redhat.com/browse/RHV-36639 and numerous others.

              luhliari@redhat.com Lubos Uhliarik
              tsorense@redhat.com Thomas Sorensen
              Lubos Uhliarik Lubos Uhliarik
              Branislav Náter Branislav Náter
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: