Apache Friends Support Forum

[crashston3]

Hello guys,

Two doubts:

First:
I wonder how do I update the "mod_ssl" the "xampp 1.7.3 win32" to the latest version of "mod_ssl"? I tried to install the latest version of xampp, but then my web application does not work. Would any way to update the "mod_ssl" up to its latest version?

Second:
How do I disable the HTTP TRACE METHOD in apache the xampp 1.7.3?

I thank!

[crashston3]

BUMP

[crashston3]

Could someone help me?

[JonB]

OK - I'll tackle this one for you -

A. you have not mentioned exactly WHICH version of mod_SSL you would like to install, or addressed "why" you need it (specific errors). (beyond saying your web application won't work) perhaps you really mean 'it doesn't work' there is a HUGE difference.

B. What version and 'from where' to you plan to source your 'new' mod_SSL???

C. Now I'll go on a bit about 'mods' and Apache on Windows. Generally speaking, ON WINDOWS you can't 'mix and match' mod versions. Why is that? Because FOR WINDOWS mods have to be compiled. and there's more than one compiler. XAMPP is built with the 'VC6' compiler, so therefore you would need a 'VC6' (Microsoft Visual C version 6) compilation. Additionally, there is the matter of knowing what parameters were used when compiling. Many of the Apache recompiles are VC9 (which pretty much really only runs on IIS) You would most likely need a complete Apache re-compile.

http://stackoverflow.com/questions/3126 ... ux-distros

http://httpd.apache.org/docs/2.0/mod/mo ... l#creating

http://www.websiteadministrator.com.au/ ... e2217.html

On *nix stacks, the OS comes with a c compiler, and the objects and a framework (build/make) are already in place for 're-compiles'. Also not a beginners project 'over there' either.

http://httpd.apache.org/docs/2.0/install.html

The short answer is likely 'you can't do what you want to do at the moment' (at least with XAMMP)

[crashston3]

Hello JonB, thanks for answering my question!

I'll explain my problem.

I have a game server. I also have the website of the game where the User may create your account and check everything for him. But the website only works with xampp 1.7.3. Until I tried using the latest version of xampp, but could not make it work.

So I did some tests with the program "Acunetix Web Vulnerability Scanner" and I found these vulnerabilities in the first post I mentioned.

If I can, I plan to update the mod_ssl to its latest version if the "xampp 1.7.3" support.

One more quick question.

How do I disable the http trace method on xampp 1.7.3?

I thank!

[Altrea]

How do I disable the http trace method on xampp 1.7.3?

Code: Select all

TraceEnable off

http://httpd.apache.org/docs/current/mo ... raceenable

[Sharley]

COMMENT ONLY

Jon in this topic how to disable the HTTP TRACE METHOD
viewtopic.php?f=16&t=47241
now just 2 topics down in the list from this one, which also contained a more detailed answer to the OP's second question, quite rightly wrote:

AND

C. only ask for help with a single problem in each thread/topic - it makes it difficult for those actually using search to locate answers

A very good point for all posters (not only in these forums) to remember and shows Jon has the best interest of forum searchers at heart - well done Jon and thanks for pointing this out for all to read - good to see such an experienced troubleshooter has returned to this forum.


So I wonder why this post:

Code: Select all

TraceEnable off

http://httpd.apache.org/docs/current/mo ... raceenable

perhaps he missed the above referenced topic in his exuberance to provide a much less detailed answer.

Also the OP, after much bumping, did not read other related very near topics including providing all the requested details from Jon to his first question, which is important when someone volunteers their free time to help find an accurate solution to what can be obscure XAMPP issues.

[crashston3]

This method TraceEnable off I had tried the way the JonB posted, but still not disabled.

How do I know? After making this change in httpd.conf I restarted the service apache and again did the scan with Acunetix Web Vulnerability Scanner and he pointed out that my website still had the security failure.

For this reason I posted here in the forum asking how to disable HTTP TRACE METHOD, because I thought it might be different configuration. Always realize the search google before posting in forums on issues that have doubts.

Thank you all for answering my question!

[JonB]

Although I have not had reason to turn off the HTTP trace method, I do know it is closely associated with mod_rewrite. If you are using mod_rewrite, you may not be able to disable HTTP trace. This kind of question really should be posted on the Apache Project for a truly definitive answer.

How to get Apache Support
http://httpd.apache.org/docs/2.0/faq/al ... er-support

Apache Lounge (True Apache Geeks)
http://www.apachelounge.com/viewforum.php?f=5

I'll also say that if you are planning/architecting web services, XAMPP for Windows (although I love it) is not a good prototyping platform, too many quirks (not particularly with Apache) that will lead to 'it works one place and does not work in the other place' and things that WILL NOT work at all. I run a Fedora workstation and server for critical testing (JMHO). XAMMP is best for designing and testing PHP, Java and Perl driven web scripts that are non-critical (and that covers a lot of gorund)

Although these Forums often have PHP, Perl, phpMyAdmin and MySQL questions answered, the real purpose of the forum is to support the XAMPP distribution, not its components. No one here developed any of that software - the XAMPP team debugs, configures, bundles (make/build) and compiles it and then creates the installers/scripts only. THAT is a LOT of work and keeps the bosses busy.

Good Luck with your project.

[JonB]

About using analytic tools for server security appraisals:

I don't know the context you wish to run XAMPP in -- BUT -- XAMMP is SPECIFICALLY not recommended for production use. You would also have to examine the practical implications and potential impact of each vulnerability. In almost all cases, using XAMPP as recommended (after doing the Basic XAMPP security fixes, and securing WebDAV) you will find its quite secure. As for things like HTTPS, Open SSL, Server Certificates and so forth - again XAMPP was not intended for production use.

If you would like to, you could send me a PM describing what you are trrying to do, and I would give you a quick assessment. (this is what I do professionally). I have a basic guide fior securing XAMMP and Ms. Sharley has a WebDAV fixup to follow.

Good Luck