TRACK and TRACE HTTP Methods

TRACK and TRACE HTTP Methods

von Brian Ball -
Anzahl Antworten: 3
So my security guy is using the NESSUS scanner and has alerted me to some issues on my Moodle server. "The remote web server supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections."
I'm assuming right away this may have to do with the Development/Debugging feature built into the WebUI. 
Has anyone come across this? Is Moodle going to break if I disable these methods?
Mittelwert: -
Als Antwort auf Brian Ball

Re: TRACK and TRACE HTTP Methods

von Ken Task -
Nutzerbild von Particularly helpful Moodlers

Please see:

https://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

once you disable, check how moodle is affected ...

Then, in config.php file add:

$CFG->debug=1;
$CFG->debugdisplay=1;

Check site.

Then mess up the the config.php file by removing the ';' at the end of the debugdisplay and debug lines.

Hit site.

Remove those lines from config.php when you are done.

'SoS', Ken

Mittelwert: -
Als Antwort auf Brian Ball

Re: TRACK and TRACE HTTP Methods

von Matteo Scaramuccia -
Nutzerbild von Core developers Nutzerbild von Peer reviewers Nutzerbild von Plugin developers

Hi Brian,
TRACK and TRACE are HTTP Methods you should disable in the Web Server serving the Moodle pages. Moodle is not a Web Server.

Moodle runs on top of DELETE GET HEAD OPTIONS POST PUT HTTP Methods.

HTH,
Matteo

Mittelwert: -