WampServer
Apache, PHP, MySQL
on Windows
apach scan report--security warning
Posted by:
dittoit
(114.92.238.---)
Date: June 12, 2012 04:14PM
I installed wampserver 2.1 under windows 2003 server, after did a securty scan and find the webserver has such surity warning:
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
is there any solution to solve this problem? if so, how to update in the httpd.conf of apach server?
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
is there any solution to solve this problem? if so, how to update in the httpd.conf of apach server?
Re: apach scan report--security warning
Posted by:
stevenmartin99
(Moderator)
Date: June 12, 2012 04:40PM
Yes use wamp2.2
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Re: apach scan report--security warning
Posted by:
dittoit
(---.static.hostnoc.net)
Date: June 14, 2012 08:53AM
I already installed latesed version of wampserver2.2 but the same result after scanning web port:
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
Is there any way to fix this problem?
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
Is there any way to fix this problem?
Re: apach scan report--security warning
Posted by:
stevenmartin99
(Moderator)
Date: June 14, 2012 09:09AM
TRACE is enabled by default in an apache installation
add
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
add
TraceEnable = offinto your httpd.conf
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Re: apach scan report--security warning
Posted by:
dittoit
(114.92.238.---)
Date: June 14, 2012 10:56AM
Thanks for your information, but after I did this then it is not possible to start Apach service
, I tried to add this statement in the end line or the first line of httpd.conf:
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include "c:/wamp/alias/*"
TraceEnable = off
or
TraceEnable = off
ServerRoot "c:/wamp/bin/apache/apache2.2.17"
both do not work..., and when I remove this statement, I can start Apach service again.
Is there any way to fix it?
, I tried to add this statement in the end line or the first line of httpd.conf:<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include "c:/wamp/alias/*"
TraceEnable = off
or
TraceEnable = off
ServerRoot "c:/wamp/bin/apache/apache2.2.17"
both do not work..., and when I remove this statement, I can start Apach service again.
Is there any way to fix it?
Sorry, only registered users may post in this forum.
