2

In a recent PCIDSS scan at a client of mine, I got aware of Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability (CVE-2004-2320, CVE-2007-3008). The proposed mitigation for Apache is this:

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
</IfModule>

How can I achieve the same in Lighttpd?

Your help is greatly appreciated!

andreas-h
  • 1,114
  • 1
  • 17
  • 28
  • 1
    Supposedly lighttpd doesn't even implement TRACE. What is the real server being used? – Michael Hampton Apr 29 '13 at 21:14
  • Thanks for the info! There's several servers behind the web-facing proxy (pond), so I wasn't sure which server the vulnerability applied to. So if lighttpd doesn't implement TRACE, then I guess it was Apache ;) – andreas-h Apr 29 '13 at 21:16
  • Do you mean Pound? It shouldn't allow TRACE through by default, unless it was reconfigured to do so. Time to update your question. :) – Michael Hampton Apr 29 '13 at 21:19

1 Answers1

1

See src/keyvalue.c for a list of HTTP methods recognized by lighttpd. The default configuration supports a subset of those.

Stefan
  • 859
  • 1
  • 7
  • 18