http TRACE 跨站攻击漏洞测试与防御修复
apache关闭方法可以直接在配置文件http.conf添加TraceEnable off 关闭 有版本要求 好像是2.0以上
在httpd.conf下搜索Global 在
### Section 1: Global Environment
下面加 TraceEnable off
保存OK
如何测试呢.这样
在cmd下输入
telnet 127.0.0.1 80
然后在黑屏状态下输入
TRACE / HTTP/1.0
Host: foo
在添加TraceEnable off之前,应返回
HTTP/1.1 200 OK
Date: Sat, 20 Oct 2007 20:39:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response
Connection closed by foreign host.
在添加TraceEnable off之后,应返回
HTTP/1.1 403 Forbidden
Date: Sat, 20 Oct 2007 20:38:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<hr>
<address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body></html>
Connection closed by foreign host.
至此,可通过安全测试