Red Hat Bugzilla – Bug 463940
TraceEnable should be off by default
Last modified: 2008-10-20 12:00:32 EDT
Although the HTTP TRACE capability isn't a security vulnerability per se, it can be leveraged by attackers to obtain sensitive information:
Apache httpd 1.3.34, 2.0.55 and later include a "TraceEnable" directive that can be used to disable support for HTTP TRACE:
Per RFC2616, support for HTTP TRACE is OPTIONAL:
Therefore, I will make the following assertion: HTTP TRACE should be disabled by default in Apache httpd. Most people don't need this functionality, and the people who do can always explicitly enable it.
However, Apache httpd currently takes the opposite approach: if not overridden in httpd.conf, the default value for TraceEnable is "on". Furthermore, the stock httpd.conf file does not set TraceEnable off.
I think we should try to convince upstream that the default value for TraceEnable should be "off". Furthermore, in the meantime, I think we should patch the stock httpd.conf file as contributed by the httpd RPM to include a "TraceEnable off" line (with a comment explaining the implications of enabling it).
I've filed this bug against Fedora Rawhide, but it applies to all actively supported Red Hat and Fedora releases which include a version of httpd that understands the TraceEnable directive (F8, F9, RHEL5). For supported releases which include a version of httpd that doesn't understand the TraceEnable directive (RHEL2.1, RHEL3, RHEL4), support for TraceEnable should be backported.
Opening this bug, as it is not a report of any new security vulnerability.
This is an upstream default; if you can successfully make this case upstream the Fedora default will naturally follow. (I do not in any way agree with disabling TRACE by default so I will not take up this case for you! :)
I do not see any motivation to patch out the the default in Fedora though, there is nothing Fedora-specific about this issue.