MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2014

Possible iSeries HTTP vulnerabilties TRACE and/or TRACK methods



fixed


Security audit is requesting that these vulnerabilities be disabled.
Reviewing the httpd.conf config files, I see no evidence of TRACE and/or TRACK, so I'm assuming these are on by default, and need to be disabled by one of the suggested methods.
All of our HTTP instances are Apache 2.2.11(i5).
Am I correct that I need to re-visit every HTTP instance, adding one of the two recommendations below.

To disable
TraceEnabled Off

OR
...
# disable TRACE in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>

mod_rewrite must be active for these directives to be accepted. If mod_rewrite is not already active in your configuration:


Plugin Text: Synopsis: Debugging functions are enabled on the remote web server.
Description: The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web
server connections.
Solution: Disable these methods. Refer to the plugin output for more information.
See Also: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Risk Factor: Medium
CVSS Base Score: 4.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Temporal Score: 3.9
CVSS Temporal Vector: CVSS2#E:F/RL:W/RC:C
Plugin Output:
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Nessus sent


Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact