Moodle in English: TRACK and TRACE HTTP Methods

So my security guy is using the NESSUS scanner and has alerted me to some issues on my Moodle server. "The remote web server supports the TRACE and/or TRACK methods. TRACE

and TRACK are HTTP methods that are used to debug web server

connections."

I'm assuming right away this may have to do with the Development/Debugging feature built into the WebUI.

Has anyone come across this? Is Moodle going to break if I disable these methods?

評点平均: -

Re: TRACK and TRACE HTTP Methods

2023年 02月 18日(土曜日) 08:44 - Ken Task の投稿

Please see:

https://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

once you disable, check how moodle is affected ...

Then, in config.php file add:

$CFG->debug=1;
$CFG->debugdisplay=1;

Check site.

Then mess up the the config.php file by removing the ';' at the end of the debugdisplay and debug lines.

Hit site.

Remove those lines from config.php when you are done.

'SoS', Ken

評点平均: -

Re: TRACK and TRACE HTTP Methods

2023年 02月 22日(水曜日) 00:32 - Brian Ball の投稿

So I did find this article based on my Apache version running 2.4.52:
https://www.linuxcnf.com/2017/08/how-to-disable-tracetrack-in-apachehttpd.html"

This worked perfectly as the article states, but do you think this is enough? I'll have my security guy run another scan to confirm.

評点平均: -

Re: TRACK and TRACE HTTP Methods

2023年 02月 18日(土曜日) 18:30 - Matteo Scaramuccia の投稿

Hi Brian,
TRACK and TRACE are HTTP Methods you should disable in the Web Server serving the Moodle pages. Moodle is not a Web Server.

Moodle runs on top of DELETE GET HEAD OPTIONS POST PUT HTTP Methods.

HTH,
Matteo

評点平均: -

Web services

TRACK and TRACE HTTP Methods

TRACK and TRACE HTTP Methods

Re: TRACK and TRACE HTTP Methods

Re: TRACK and TRACE HTTP Methods

Re: TRACK and TRACE HTTP Methods

Empowering educators to improve our world

Moodle

Support

Get Involved

Contributions

Downloads

Tracker

Development

Empowering educators to improve our world