Bug 463940 - TraceEnable should be off by default
TraceEnable should be off by default
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-09-25 12:09 EDT by James Ralston
Modified: 2008-10-20 12:00 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-20 12:00:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description James Ralston 2008-09-25 12:09:15 EDT
Although the HTTP TRACE capability isn't a security vulnerability per se, it can be leveraged by attackers to obtain sensitive information:


Apache httpd 1.3.34, 2.0.55 and later include a "TraceEnable" directive that can be used to disable support for HTTP TRACE:


Per RFC2616, support for HTTP TRACE is OPTIONAL:


Therefore, I will make the following assertion: HTTP TRACE should be disabled by default in Apache httpd. Most people don't need this functionality, and the people who do can always explicitly enable it.

However, Apache httpd currently takes the opposite approach: if not overridden in httpd.conf, the default value for TraceEnable is "on". Furthermore, the stock httpd.conf file does not set TraceEnable off.

I think we should try to convince upstream that the default value for TraceEnable should be "off". Furthermore, in the meantime, I think we should patch the stock httpd.conf file as contributed by the httpd RPM to include a "TraceEnable off" line (with a comment explaining the implications of enabling it).

I've filed this bug against Fedora Rawhide, but it applies to all actively supported Red Hat and Fedora releases which include a version of httpd that understands the TraceEnable directive (F8, F9, RHEL5). For supported releases which include a version of httpd that doesn't understand the TraceEnable directive (RHEL2.1, RHEL3, RHEL4), support for TraceEnable should be backported.
Comment 1 Tomas Hoger 2008-09-29 05:52:47 EDT
Opening this bug, as it is not a report of any new security vulnerability.
Comment 2 Joe Orton 2008-10-20 12:00:32 EDT
This is an upstream default; if you can successfully make this case upstream the Fedora default will naturally follow.  (I do not in any way agree with disabling TRACE by default so I will not take up this case for you! :)

I do not see any motivation to patch out the the default in Fedora though, there is nothing Fedora-specific about this issue.

Note You need to log in before you can comment on or make changes to this bug.