Apache

HTTP Trace脆弱性への対策

まず、HTTP Traceが有効かどうかを確認する

telnet <server> 80
OPTIONS / HTTP/1.0

実際にやってみる。

# telnet 192.168.1.50 80
Trying 192.168.1.50...
Connected to 192.168.1.50
Escape character is '^]'.
OPTIONS / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 04 Feb 2005 05:24:09 GMT
Server: Apache
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY , MOVE, LOCK, U
NLOCK, TRACE
Connection: close
Connection closed by foreign host.

で、作業。

mod_rewriteが必要なので、再コンパイル

make clean
./configure --enable-module=rewrite (これ以外のオプションも無論必要)
make
make install

httpd.confに以下の設定を追加

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE [OR]
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]

再度テストしてみると、

Connected to localhost.
Escape character is '^]'.
OPTIONS / HTTP/1.0
HTTP/1.1 403 Forbidden
Date: Fri, 04 Feb 2005 05:22:07 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.8
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.31 Server at <servername> Port 80</ADDRESS>
 </BODY></HTML>
Connection closed by foreign host.

OKです。


トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS