MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2014

RE: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK methods



fixed

Vern,

1) Was able to confirm by ssh to a Linux server, then TELNET to the server / port I needed to confirm.
SSH to linux test server
call qp2term
ssh -T PAULS@x.x.x.x<mailto:PAULS@x.x.x.x>

telnet z.z.z.z.z 83

in blank screen type
TRACE / HTTP/1.1
Host: z.z.z.z
TRACE: yes


Hit enter after each line and enter once after the 3rd line.

You will get the following response indicating the issue has been fixed.


Escape character is '^]'.
TRACE / HTTP/1.1
Host: z.z.z.z
TRACE: yes

HTTP/1.1 405 Method Not Allowed
Date: Wed, 15 Jan 2014 19:45:04 GMT
Server: Apache
Allow:
Content-Length: 223
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
<P>The requested method TRACE is not allowed for the URL /.</P>
</body></html>

2) The EnableTrace Off directive is working for some instances but failing for others, see error message below.
I was always placing the directive immediately doc root.
13

DocumentRoot /www/zendsvr6/htdocs

14

#EnableTrace Off



HTP8006 Diagnostic 40 01/15/14 17:54:58.594124 QZSRAPR QHTTPSVR *STMT QZSRCORE QHTTPSVR *STMT
From module . . . . . . . . : QZSRSNDM
From procedure . . . . . . : sendMessageToJobLog_CCSID
Statement . . . . . . . . . : 27
To module . . . . . . . . . : HTTP_CONFI
To procedure . . . . . . . : ap_walk_config_sub
Statement . . . . . . . . . : 12
Message . . . . : Directive not recognized.
Cause . . . . . : Directive EnableTrace is not a recognized HTTP server
directive. The HTTP server did not start. Recovery . . . : Correct or
remove the directive. Then start the HTTP server again. Technical
description . . . . . . . . : See the HTTP server documentation on
configuration and administration for more information.
HTP8008 Escape 40 01/15/14 17:54:58.594761 QZSRAPR QHTTPSVR *STMT QZHBMAIN QHTTPSVR *STMT
From module . . . . . . . . : QZSRSNDM
From procedure . . . . . . : sendEscapeWithMessageFile
Statement . . . . . . . . . : 4
To module . . . . . . . . . : ZHBMAIN
To procedure . . . . . . . : BigSwitch__FiPPc
Statement . . . . . . . . . : 234
Message . . . . : HTTP Server Instance ZENDSVR6 failed during start-up.
Cause . . . . . : HTTP Server instance ZENDSVR6 failed because of a
configuration error on line 14 in configuration file
/www/zendsvr6/conf/httpd.conf. Note: If the specified directive is either a
container directive (e.g. <Directory>), or a directive within a container,
the line number identified above may not be correct. In that case, you will
need to verify that all directives in the container, and the container
itself do not have configuration errors. Recovery . . . : See previous
job log messages. Correct the problem and start the server again.






-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of bryan dietz
Sent: Wednesday, January 15, 2014 12:00 PM
To: Midrange Systems Technical Discussion
Subject: Re: Possible iSeries HTTP vulnerabilties TRACE and/or TRACK methods



make sure you use 2 lowercase "v's" '-vv'



--bryan





On Wed, Jan 15, 2014 at 11:43 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>wrote:



Vern,



The -VV did not add any additional output.

I did confirm if you create a new HTTP instance at V7R1, TraceEnable

Off is included by default.



I'm still looking for tool/method to confirm.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact