Title

The TRACE method must be disabled. (Cat II impact)

Discussion

Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details http://httpd.apache.org/docs/2.2/mod/core.html#traceenable. The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subject to abuse and should be disabled.

Check Content

Locate the Apache httpd.conf file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a <Directory> or <Location> directive). Also ensure that the TraceEnable directive is set to “Off”. If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".

Fix Text

Disable the TraceEnable directive by setting it to "off".

Additional Identifiers

Rule ID: SV-33183r1_rule

Vulnerability ID: V-26325

Group Title: WA00550

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.