Meena Vyas

Monday October 30, 2006

Disabling TRACE in Sun Java System Web Server 7.0 In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1, comment the TRACE service in obj.conf.
#Service method="TRACE" fn="service-trace"

For releases prior to Sun ONE Web Server 6.1:

<Client method="TRACE">
AuthTrans fn="set-variable"
         remove-headers="transfer-encoding"
         set-headers="content-length: -1"
         error="501"
</Client>

It is a perception that Sun Java System Web Server (Web Server) is somehow vulnerable with these methods.
These methods (except for TRACE) are NOT enabled by default in the Web Server. The fact that OPTIONS request lists these methods doesn't mean they could be exploited.

Web Server responds to the HTTP OPTIONS method by reporting the methods understood. It should be noted that indication that a method is understood, however, is no guarantee that a method is permitted or will be executed.

By default Web Server blocks all "privileged" HTTP methods behind the Access Control Lists (ACL) system. Attempts to invoke the methods will be responded to with an HTTP 401 error code (Unauthorized) requesting credentials from the User-Agent. If valid credentials are provided, or if the default ACL is disabled, Web Server will respond with an HTTP 405 error code (Method Not Allowed).

You can also set it as the first ACE in the default.acl :
deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone";
Related Links :

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
• http://forum.java.sun.com/thread.jspa?threadID=5064651
• http://forum.java.sun.com/thread.jspa?threadID=5161735
• http://forum.java.sun.com/thread.jspa?threadID=5166155