Monday October 30, 2006 Meena Vyas
All
|
DTrace Web Server 7.0
|
ACLs Web Server 7.0
|
General Web Server 7.0
|
HttpCompression Web Server 7.0
|
Intrusion Detection Web Server 7.0
|
Open Web Server
|
Reference Deployments of Web Server 7.0
|
Reverse Proxy Web Server 7.0
|
Security Web Server 7.0
|
Troubleshooting Web Server 7.0
|
WebDAV Web Server 7.0
Monday October 30, 2006 Disabling TRACE in Sun Java System Web Server 7.0
Disabling TRACE in Sun Java System Web Server 7.0
In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1, comment the TRACE service in obj.conf.#Service method="TRACE" fn="service-trace"
For releases prior to Sun ONE Web Server 6.1:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
It is a perception that Sun Java System Web Server (Web Server) is somehow vulnerable with these methods.
These methods (except for TRACE) are NOT enabled by default in the Web Server. The fact that OPTIONS request lists these methods doesn't mean they could be exploited.
Web Server responds to the HTTP OPTIONS method by reporting the methods understood. It should be noted that indication that a method is understood, however, is no guarantee that a method is permitted or will be executed.
By default Web Server blocks all "privileged" HTTP methods behind the Access Control Lists (ACL) system. Attempts to invoke the methods will be responded to with an HTTP 401 error code (Unauthorized) requesting credentials from the User-Agent. If valid credentials are provided, or if the default ACL is disabled, Web Server will respond with an HTTP 405 error code (Method Not Allowed).
You can also set it as the first ACE in the default.acl :
deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone";
Related Links :
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
- http://forum.java.sun.com/thread.jspa?threadID=5064651
- http://forum.java.sun.com/thread.jspa?threadID=5161735
- http://forum.java.sun.com/thread.jspa?threadID=5166155
- http://unix.derkeiler.com/Mailing-Lists/HP-UX-Admin/2003-06/0082.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1
Trackback URL: http://blogs.sun.com/meena/entry/disabling_trace_in_sun_java
Post a Comment:
This blog copyright 2009 by meena
When I add
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
for our iplanet server.It don't disable trace when I use http 1.1 to send request.For example:
Trace /HTTP/1.1
host:www.xxxxxxx.com
a:ssss
The server response 413 instead of 501.
So how do i disable http1.1 request.It is confused
Posted by chenlingreen on April 24, 2008 at 08:23 AM IST #
Try "TRACE" rather than "Trace". HTTP/1.1 RFC says : http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
"The method is case-sensitive."
Also there should a space between uri "/" and protocol "HTTP/1.1"
I get 501 in both the cases.
Posted by meena on June 02, 2008 at 06:07 PM IST #
I am running iplanet ver 6.0 SP5 . I tried with "obj.conf" & "acl" too but no luck.
telnet www.mysitename.com 80
TRACE / HTTP/1.1
Host: mysitename.com
Via: <script>alert('QualysXSS');</script>
The response is of the form:
HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Tue, 12 Aug 2008 19:15:14 GMT
Content-length: 83
Content-type: message/http
TRACE / HTTP/1.1
Host: mysitename.com
Via: <script>alert('QualysXSS');</script>
Any suggestion ?
Posted by Ajay on August 13, 2008 at 09:50 PM IST #
Yes I searched for all files with obj.conf in <ws-install-dir>/https-<instance-name>/config/ and deleted all lines that had TRACE in it.
When I send a request :
TRACE / HTTP/1.1
Host: mysitename.com
Via: <script>alert('QualysXSS');</script>
I get :
HTTP/1.1 405 Method Not Allowed
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 14 Aug 2008 07:09:53 GMT
Allow: HEAD, GET
Content-length: 147
Content-type: text/html
<HTML><HEAD><TITLE>Method Not Allowed</TITLE></HEAD>
<BODY><H1>Method Not Allowed</H1>
The server is unable to process your request.
</BODY></HTML>
BTW you can try my blogs Intrusion Detection http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
and http://blogs.sun.com/meena/entry/cross_site_scripting_prevention_in
P/S If you are using Web Server 6.0 please migrate to the latest Web Server 7.0 update 3 http://sun.systemnews.com/go/2?a=20248&l=http%3A%2F%2Ftinyurl.com%2F4l7yed
For any questions please write to http://forums.sun.com/forum.jspa?forumID=759
Posted by meena on August 14, 2008 at 12:48 PM IST #