How to disable TRACK/TRACE lighttpd 1.4.23

Place to discuss Debian Linux and Debian based distributions
Post Reply
Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

How to disable TRACK/TRACE lighttpd 1.4.23

Post by Copperhead » Tue Aug 25, 2009 12:43 pm

Anyone familiar with this? We are trying to pass a PC compliance test and the TRACK/TRACE method is enabled. Scan gave us the code for Apache, but not lighttpd, of which my knowledge is limited.

lighttpd -1.4.23
Ubuntu 8.10 Intrepid

User avatar
Void Main
Site Admin
Site Admin
Posts: 5715
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Aug 25, 2009 7:40 pm

What makes you think the TRACE or TRACK method is enabled? From what I can tell after a little searching is that neither of those methods are actually supported by lighttpd. I just installed it and check and they are at least disabled by default in the Fedora package. Do the tests at the top of this page to see if it's enabled:

http://publib.boulder.ibm.com/httpserv/ ... trace.html

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Fri Aug 28, 2009 12:40 pm

Thanks Void.

I actually found that page and went through the process with my client. After I did some searching, TRACK/TRACE is enabled by default in older versions of lighttpd >1.4.23. Since this guy was updating via apt, it didn't overwrite the old config file because he had virtual hosts defined, therefore leaving TRACK/TRACE enabled.

We used that page as a template, and got it straightened out and passed PCI compliance.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5715
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Aug 28, 2009 3:30 pm

I didn't realize that was a check for PCI compliance. I also have a significant dealing with PCI compliance here. We've implemented 2 factor authentication on just about everything among a bazillion other hoops we had to jump through. I also take care of all the network gear as far as authentication, configuration management and logging on over 20,000 routers, switches, and firewalls, keep track of all the firewall and switch ACLs etc. Not to mention all the servers. :)

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Wed Sep 02, 2009 6:14 pm

Yeah, sorry about that. I typed in "PC compliance." I forgot the "I" :D

PCI compliance, while should be practiced, is kind of a joke because it is not very standardized. The service my client used (I forget what it was), and obtained a compliance certification, was completely different than the one I used (Comodo Securities)

Both had the problem of the TRACK/TRACE method is lighttpd, but Comodo's responded with a problem with their version of PHP that they are using (5.2.10-ubuntu.) Comodo was very adamant about PHP being updated to v5.3, but my clients' code wouldn't run on 5.3. I am not exactly sure how their code works (I guess they aren't either), but apparently it does something with FFMPEG to automatically convert and stream uploaded videos from various sources. They also have a store running on the same server with a database that shares the responsibilities of both.

Of course, I explained to them that this is not the way to accomplish this. You never want a database on the same physical machine as the server, but you know how people like to take the cheap way out of things. I of course, offered to redesign their system to "industry standards" but they seemed more concerned with meeting a deadline than doing things the right way, not to mention spending the money to get the job done the right way.

Oh well. This is the part of doing freelance consultation work I don't like. Of course, since they didn't follow my suggestions, when everything falls to pieces, guess who they blame? LOL

Thanks for your help, though.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5715
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Sep 02, 2009 6:33 pm

Our PCI compliance is fairly strict. If we are not compliant it would cost us $1M/month for however long we are not compliant.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead » Fri Sep 04, 2009 10:03 am

They were facing a similar fine. It passed, though. So long as you have a certificate from a certified PCI compliance authority, you are good to go.

Post Reply