MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2014

Re: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK methods



fixed

Paul

Here's a sample based on the documentation for STRTCPSVR -

STRTCPSVR SERVER(*HTTP) HTTPSVR(HTTP1 '-vv')

'-vv' is the second element of the HTTPSVR parameter - there are several other items you can use there, as well - SSL port, other things - some are probably part of the startup parameters in the QSYSINC member that defines that.

There is '-ve' this is for error tracing - then '-vi' for informational tracing - and '-V' which gives the version and some of the settings - check the documentation or the help on STRTCPSVR.

I've only used '-vv' - remember to run just a little bit under this, then ENDTCPSVR - then look for spooled files probably under user QTMHHTTP. There'll be several.

Enjoy!
Vern

On 1/14/2014 5:24 PM, Steinmetz, Paul wrote:
Vern,

I'll give that a try.
Where do you set the '-vv'?

Here's update from IBM.
"I think I know what the issue is, at 710 when you create a new Apache server it adds the Traceenable Off to the config file, at 610 it does not. So if you have a server at 610 and upgraded to 710 you will still need to add this directive. So it's misleading in the infocenter."

So I need to revisit every instance and add the directive, then

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Vernon Hamberg
Sent: Tuesday, January 14, 2014 5:45 PM
To: Midrange Systems Technical Discussion
Subject: Re: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK methods

I wonder if you'd get the info you want if you start the Apache instance in verbose mode, make a normal connection in your browser, then shut off the instance - you get a bunch of spooled files with all kinds of info on what was done.

You use '-vv' in the options to get verbose mode.

Vern

On 1/14/2014 4:42 PM, Steinmetz, Paul wrote:
V6R1 info center shows default is on.
V7R1 info center show default is off.
Did the default change from V6R1 to V7R1, or could there be a typo in the center.

With Windows7 , can't use the recommended TELNET test to confirm the status.

"Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for "TRACE / HTTP/1.0" if you get a positive reply it means TRACE is enabled on your system.

Any recommendations on how to confirm.


-----Original Message-----
From: Steinmetz, Paul
Sent: Tuesday, January 14, 2014 4:19 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK
methods

So even if TraceEnable is not in the httpconf file, by default it is off.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Nadir Amra
Sent: Tuesday, January 14, 2014 3:35 PM
To: Midrange Systems Technical Discussion
Subject: Re: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK
methods

According to the InfoCenter directive reference, if not specified the
default is

TraceEnable off

[1]
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=%2Frz
aie%2Frzaiemod_core.htm


Nadir Amra




From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>,
Date: 01/14/2014 02:29 PM
Subject: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK
methods
Sent by: midrange-l-bounces@xxxxxxxxxxxx




Security audit is requesting that these vulnerabilities be disabled.
Reviewing the httpd.conf config files, I see no evidence of TRACE and/or TRACK, so I'm assuming these are on by default, and need to be disabled by one of the suggested methods.
All of our HTTP instances are Apache 2.2.11(i5).
Am I correct that I need to re-visit every HTTP instance, adding one of the two recommendations below.

To disable
TraceEnabled Off

OR
...
# disable TRACE in the main scope of httpd.conf RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] ...
<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
</VirtualHost>

mod_rewrite must be active for these directives to be accepted. If mod_rewrite is not already active in your configuration:


Plugin Text: Synopsis: Debugging functions are enabled on the remote
web server.
Description: The remote web server supports the TRACE and/or TRACK
methods. TRACE and TRACK are HTTP methods that are used to debug web
server connections.
Solution: Disable these methods. Refer to the plugin output for more
information.
See Also:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Risk Factor: Medium
CVSS Base Score: 4.3
CVSS Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N CVSS Temporal Score: 3.9
CVSS Temporal Vector: CVSS2#E:F/RL:W/RC:C Plugin Output:
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Nessus sent


Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact