View Single Post
Old 7th May 2008, 22:50
stirfry stirfry is offline
Join Date: Jun 2007
Posts: 37
Thanks: 4
Thanked 0 Times in 0 Posts

@daveb - Unfortunately, that only works with certain versions of Apache. Furthermore, that directive is supposed to work in Apache 2.0.55, but it didn't do it for me. At least doing so didn't allow my server to pass the audit software I use and I'm not sure exactly how to test the vulnerability myself.

@rdike - I would think that one could change the function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php to something like this:

    $rewrite_rule = "RewriteEngine on"; // this existed
    $rewrite_rule .= "\nRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)"; // this was added    
    $rewrite_rule .= "\nRewriteRule .* - [F]"; // this was added
After making this change, I went into ISPConfig Admin and "Saved" one of my sites (assuming it would re-generate the Vhosts_ispconfig.conf file). However, the Vhosts file didn't update. I thought, "Perhaps I'm missing a conditional in the PHP and it's never getting to the point where it turns on the RewriteEngine." So, I even tried a total hack by sticking it the php variable (since all my sites have php enabled), but my Vhosts file was not updating.

So, now I've put those lines in an .htaccess file in the web root for each site, hoping that does the trick. I'll report back when the audit completes.

So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

*Edit: I should say, two questions to someone who's smarter than me, as we all know "something". Falko? Till? You out there?

Last edited by stirfry; 8th May 2008 at 20:49.
Reply With Quote