TRACK and TRACE HTTP Methods

TRACK and TRACE HTTP Methods

על ידי Brian Ball בתאריך
מספר תגובות: 3
So my security guy is using the NESSUS scanner and has alerted me to some issues on my Moodle server. "The remote web server supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections."
I'm assuming right away this may have to do with the Development/Debugging feature built into the WebUI. 
Has anyone come across this? Is Moodle going to break if I disable these methods?
ממוצע דרוגים: -
בתגובה ל: Brian Ball

Re: TRACK and TRACE HTTP Methods

על ידי Ken Task בתאריך
תמונה של Particularly helpful Moodlers

Please see:

https://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

once you disable, check how moodle is affected ...

Then, in config.php file add:

$CFG->debug=1;
$CFG->debugdisplay=1;

Check site.

Then mess up the the config.php file by removing the ';' at the end of the debugdisplay and debug lines.

Hit site.

Remove those lines from config.php when you are done.

'SoS', Ken

ממוצע דרוגים: -
בתגובה ל: Ken Task

Re: TRACK and TRACE HTTP Methods

על ידי Brian Ball בתאריך
So I did find this article based on my Apache version running 2.4.52:
https://www.linuxcnf.com/2017/08/how-to-disable-tracetrack-in-apachehttpd.html"

This worked perfectly as the article states, but do you think this is enough? I'll have my security guy run another scan to confirm.
ממוצע דרוגים: -
בתגובה ל: Brian Ball

Re: TRACK and TRACE HTTP Methods

על ידי Matteo Scaramuccia בתאריך
תמונה של Core developers תמונה של Peer reviewers תמונה של Plugin developers

Hi Brian,
TRACK and TRACE are HTTP Methods you should disable in the Web Server serving the Moodle pages. Moodle is not a Web Server.

Moodle runs on top of DELETE GET HEAD OPTIONS POST PUT HTTP Methods.

HTH,
Matteo

ממוצע דרוגים: -