Article 12389 at 08/04/01 13:31:51 From: bluequartzlist (at mark) hotmail.com Subject: [coba-e:12389] Re: Apache vulnerability has customer in a panic

Index: [Article Count Order] [Thread]
Date:  Tue, 1 Apr 2008 00:30:33 -0400
From:  "Zeffie" <bluequartzlist (at mark) hotmail.com>
Subject:  [coba-e:12389] Re: Apache vulnerability has customer in a panic
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <BAY129-DAV9F8315AA47F154F2E5846CAF50 (at mark) phx.gbl>
References:  <47F16FF1.6020700 (at mark) virtbiz.com>
X-Mail-Count: 12389

> There is one failure with Apache that the security company says will put 
> them at risk of losing their merchant account.   If the Apache version was 
> 2.0.55 or newer, it would be an easy fix.   But the latest Apache appears 
> to be 2.0.52 if they do a YUM update.
>
> Ideas?
>
> ===================================
> On our current scans both ports 444 and 81 are failing for the TRACE 
> method being enabled and it is a security risk for the domain.  The same 
> issue is also flagging on port 80, which according to the headers for the 
> ports, is running Apache 2.0.52 (CentOS). If both port 444, 81 and 80 are 
> using the same Apache server, these issues can be resolved.
>
> This vulnerability has been addressed by Apache but for versions 2.0.55 or 
> later (http://httpd.apache.org/docs/2.0/mod/core.html#traceenable). If the 
> header information is not correct and the Apache server is updated to a 
> newer version, the above link explains how by adding a line, in the conf 
> file, will disable the method. If the server is not up to that version, 
> there is a way to disable the method through use of mod_rewrite 
> (http://www.kb.cert.org/vuls/id/867593). If possible, there appears to be 
> an update for Apache (2.0.59) on CentOS which will allow the allowance of 
> the TraceEnable.

This would be an issue.

You can use the TraceEnable directive with an updated httpd with
ftp://mirrors.easynews.com//linux/centos/4.6/centosplus/i386/RPMS/httpd-2.0.59-1.el4s1.10.el4.centos.i386.rpm
(I'm not to sure how much I like this build...  seems to be missing some 
patches and I'm not going to spend hours working on all the patches to see 
if they need rebuilding or deletion)

however it looks to me that it's not to much of a problem since we don't 
really run the proxy mode anyway.

Regardless...
There is no update from RedHat since...
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-2320
Official Statement from Red Hat (3/5/2008)
The Apache Software Foundation do not treat this as a security issue. A 
configuration change can be made to disable the ability to respond to HTTP 
TRACE requests if required.
For more information please see:
http://www.apacheweek.com/issues/03-01-24#news

Now if they are going to be happy with the Mod_rewrite fix, so be it..  if 
you do that you don't have to worry about not being able to update your 
apache from the default...  But don't turn your webserver into a proxy :)

--
Zeffie...
http://www.zeffie.com/
Now I build it and You surf it!
Cobalt RaQ Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of RaQ Updates!
Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
Yahoo: wwwZeffie ... Aim: wwZeffie ... Msn wwZeffie (at mark) hotmail.com ...
US 734-446-0350 734-454-9117 US Toll Free 800-231-4459 UK 0208-150-6860