iCal Server failling security checks

Question

iCal Server failling security checks

Thinking caps on
My server keeps failing PCI security checks because port 8008 has a TRACE vulnerability

tested myself

-----------------------------
TRACE / HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 18
Accept-Ranges: bytes
Server: Twisted/8.2.0 TwistedWeb/8.2.0
Last-Modified: Sat, 27 Feb 2010 13:33:53 GMT
DAV: 1, access-control
ETag: "4534C-88-4B891F41"
Date: Tue, 08 Mar 2011 14:37:07 GMT
Content-Type: message/http
Connection: close

TRACE / HTTP/1.0
Connection closed by foreign host.

--------------------------------
now the web servers apache this TRACE is disabled but ical uses the calendarserve a python based system that runs its own Apache .

So any ideas how to disable TRACE and TRACK in iCal server

MacBook, Mac OS X (10.6.6)

Posted on Mar 8, 2011 6:51 AM

Reply

Answer 1

Oct 14, 2011 8:17 AM in response to William Bowden1

I have the same problem, did you ever figure it out?

Reply

Answer 2

Feb 20, 2014 4:14 PM in response to Samuel Macomber

I realize this is an ancient thread, but I ran into this myself recently and Googled up this unanswered question.

What worked for me is setting up OS X Server's Apache to reverse-proxy port 8443 and forward the traffic to the Calendar Server's unsecure 8008 port. You have to turn off the Calendar Server's own SSL on 8443. Furthermore, you have to hand-edit the appropriate conf file in /etc/apache2/sites to have the needed rewrite rules after adding the new 8443 site in the GUI. But it seems to work. Apache can be told not to support TRACE but the built-in web server of the Calendar Server can't.

This is the basic method, as applied to another application:

http://bensoftware.com/blog/setting-up-securityspy-over-ssl/

The write-up only covers the non-server version of OS X, but does have the correct rewrite rules.

You could also use an entirely different machine for the reverse proxy and forward the traffic across your own private network. Lots of options

Reply