Support

Admin Tools

#22847 Disable HTTP methods TRACE and TRACK

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 24 June 2015 01:42 CDT

Tuesday, 23 June 2015 19:34 CDT

JUG-Heerenveen
 Hi Nicholas,

Just to inform you:

In the new ATP 3.6.0 .htaccessmaker we see the new toggle: "Disable HTTP methods TRACE and TRACK (protect against XST)".

In the documentation you wrote:
Enabling this option will prevent remote clients from using the HTTP methods TRACE
and TRACK to connect to your site. These can be used by hackers to perform privilege
escalation attacks known as Cross Site Tracing (XST) [https://www.owasp.org/index.php/<br /> Cross_Site_Tracing]. To the best of our knowledge there are no side-effects to enabling this feature.

With our host Siteground: When setting this toggle to "yes" we get "500 Internal server error".
Don't know why. So definitely there are side-effects when enabling that feature.
Edited by JUG-Heerenveen on 2015-06-23 19:38 CDT

Tuesday, 23 June 2015 20:01 CDT

JUG-Heerenveen
Same issue @ host PCextreme (NL)

Wednesday, 24 June 2015 01:42 CDT

nicholas
This protection relies on the %{REQUEST_METHOD} keyword of the Apache Rewrite module (mod_rewrite). This is only available on Apache 2.2 and 2.4. If your server runs on Apache 1.3 or 2.0 this will not work.

The problem is that we can't rely on what PHP reports as the web server's version. I've seen some really crazy stuff out there. So al I can possibly do is ask you to test each of these options on your server and if one of them doesn't work on it then just don't use it.

You can disable this feature and enter
TraceEnable off

in the Custom .htaccess rules at the bottom of the file text area. This has the same effect and works even on old Apache versions.

BTW, I wouldn't lose sleep over it. If you have a browser version released the last 3 years you are immune against the Cross Site Track (XST) attack this feature is designed to mitigate.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!