Support

Admin Tools

#26955 Disable HTTP methods TRACE and TRACK

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 11 March 2017 17:17 CST

Monday, 23 January 2017 22:42 CST

joomleb
Hi guys,
I'm running on Apache version 2.2.31 and with Let's Encrypt SSL certificate to have https on all sites.
Creating .htaccess with Admin Tools I thought was a good thing to set:
- Disable HTTP methods TRACE and TRACK (protect against XST): Yes

But saving and creating the .htaccess file I have back:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

I red here: https://www.akeebabackup.com/support/admin-tools/22847-disable-http-methods-trace-and-track.html#p126052
that this should be related to olders Apache versions, but not from 2.2 version...

So, please, How can I fix this ?
And, in special, Is "Disable HTTP methods TRACE and TRACK" still a good thing to do ?!? 

Tuesday, 24 January 2017 02:33 CST

tampe125
Buongiorno,

a quanto pare l'opzione per disabilitare i metodi TRACE e TRACK non è supportata dal suo server.
In questi casi l'opzione più semplice consiste nel ripristinare il file htaccess precedente (salvato con il nome .htaccess.admintools) rinominandolo in .htaccess. Dopodichè all'interno del Htaccess Maker disabilitare l'opzione "Disable HTTP methods TRACE and TRACK.": in questo modo l'opzione non è più abilitata e può continuare ad utilizzare il suo sito.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 24 January 2017 11:36 CST

joomleb
Hi Davide,
many thanks for your answer. What about my second question:

A - Is "Disable HTTP methods TRACE and TRACK" still a good thing to do ?!?

B - In case of yes, What is the question / request I can do to my Server provider ?
Ask about a "TRACE and TRACK" feature ?!?

Wednesday, 25 January 2017 02:11 CST

tampe125
It's a good thing to disable the TRACE method, since it could reveal some debug information containing sensitive data.
You should get in touch with your host and ask him if this method is supported or not and how you can disable it.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 30 January 2017 17:03 CST

joomleb
Hi Davide,
from my Server provider (A2hosting) I had abck this suggestion:

You can add the following to your .htaccess file to forbid unacceptable requests:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)
RewriteRule .* - [F]

Is it anything can be added in Admin Tools features ?
Is it anything I can add through Admin Tools ?

Many Thanks for support...

Tuesday, 31 January 2017 02:16 CST

tampe125
The "proper" way is to completely disable such method, your host provided a workaround.
You can manually add those rules inside the Htaccess Maker in the field "Custom rules on top of .htaccess file"

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 06 February 2017 17:27 CST

joomleb
Hi Davide,
so, I have to just manually add those rules inside the Htaccess Maker in the field "Custom rules on top of .htaccess file".

I have also to set:
- Disable HTTP methods TRACE and TRACK (protect against XST): Yes
or not ?!?

Many Thanks for help

Tuesday, 07 February 2017 01:41 CST

tampe125
I have also to set:

- Disable HTTP methods TRACE and TRACK (protect against XST): Yes

or not ?!?
No, since it creates a different rule that is not supported by your server.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 08 February 2017 22:39 CST

joomleb
Hi Davide,
many thanks, the suggestion received from my Server provider seem to work...

Thursday, 09 February 2017 01:38 CST

tampe125
You're welcome!

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 11 March 2017 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!