httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Bakshi" <>
Subject [users@httpd] <LimitExcept GET POST> not working
Date Sat, 02 Jan 2010 14:54:59 GMT
Dear list,

I have tested my webserver ( opensuse 11; apache2-2.2.8-28.4) through nikto. I have found

` ` `
+ Server: Apache
+ OSVDB-0: Retrieved X-Powered-By header: PHP/5.2.9
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See
for details
+ OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially
sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 4347 items checked: 5 item(s) reported on remote host
+ End Time:        2010-01-03 17:56:35 (2228 seconds)

` ` `

To block TRACE I have added the following in httpd.conf folder

` ` `
<Directory /srv/www/htdocs/>

# Prevents TRACE from allowing attackers to find a
# path through cache or proxy servers.
<LimitExcept GET POST>
deny from all

` ` `

After restarting the apache; nikto still able to find TRACE. I have a no. of VHOSTS, hence
rather than .htaccess I like to add it in httpd.conf What am I missing here ? How can I prevent
the other info also like php header, then icons/ folder etc.. ?  I will be grateful if any
one kindly suggest me .


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message