How to disable Apache HTTP TRACK module.

Document ID : KB000050643
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The TRACE and TRACK protocols are HTTP methods used in the debugging of web server connections.

Although these methods are useful for legitimate purposes, they may compromise the security of the server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitor's sensitive data. Apache web server support these by default. The solution is to disable these methods on the web server.

Solution:

The following steps must be performed as a user with administrator privileges if running a Windows OS and if it's a UNIX machine these steps must be done as the root user.

  1. cd $NH_HOME/web/httpd or $NH_HOME/web/httpd/conf for eHealth 6.0 SP2 and higher

  2. Create a httpd.tpl file or add to an existing httpd.tpl file

    Please make sure the directives in the httpd.tpl file must be exactly as specified below and the httpd.tpl file must include an empty line as the last line in the file.

    Create the httpd.tpl with the following directive:
    # Custom Protect SectionReWriteEngine onReWriteCond %{REQUEST_METHOD} ^TRACKReWriteRUle .* - [F]# End Custom Protect Section
    To disable TRACE and TRACK HTTP methods on your Apache-powered web server, add the following directives to httpd.tpl file:
    # Custom Protect Section RewriteEngine onRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)RewriteRule .* - [F]# End Custom Protect Section
    These directives disable the TRACE and TRACK methods via the following process:

    • RewriteEngine on - enables Apache's rewrite module (this directive is not required if already present in your htaccess file)

    • RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) - targets all TRACE and TRACK request methods for the following rule

    • RewriteRule .* - [F] - return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)

  3. Recreate the httpd.conf file and signal the web server to reread the new httpd.conf. This can be done in one of the following two ways:

    1. Add or modify the permissions of a web user from the web admin UI. This will recreate the httpd.conf file and signal the web server to reread the new httpd.conf

    2. Manually rebuild the httpd.conf by following the steps shown in Technical Document TEC519984.