andreas-h

Asked: 2013-04-30 12:56:28 +0800 CST2013-04-30 12:56:28 +0800 CST 2013-04-30 12:56:28 +0800 CST

How to forbid HTTP TRACE in lighttpd

In a recent PCIDSS scan at a client of mine, I got aware of Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability (CVE-2004-2320, CVE-2007-3008). The proposed mitigation for Apache is this:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
</IfModule>

How can I achieve the same in Lighttpd?

Your help is greatly appreciated!

1 Answers

Voted

Best Answer

Stefan
2013-05-01T02:10:37+08:002013-05-01T02:10:37+08:00
See src/keyvalue.c for a list of HTTP methods recognized by lighttpd. The default configuration supports a subset of those.
1

How to forbid HTTP TRACE in lighttpd

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?