justintx
asked on
Domino HTTP Trace Method
Our security team ran an audit and found the below issue with our Domino server. Any ideas how to fix it? In addition, how do I keep scanners from knowing that our server is even a Domino server to begin with?
Thanks,
Justin
A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests to a Web server that supports this Trace method. Usually, browser security disallows access to Web sites outside of the present site's domain. Although unlikely and difficult to achieve, it's possible, in the presence of other browser vulnerabilities, for the active HTML content to make external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the client request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser automatically sent to the specified Web application on the specified Web server.
The significance of the Trace capability in this vulnerability is that the active component in the page visited by the victim user has no direct access to this authentication information, but gets it after the target Web server echoes it back as its Trace response.
Since this vulnerability exists as a support for a method required by the HTTP protocol specification, most common Web servers are vulnerable.
The exact method(s) supported, Trace and/or Track, and their responses are in the Results section below.
CONSEQUENCES:
If this vulnerability is successfully exploited, users of the Web server may lose their authentication credentials for the server and/or for the Web applications hosted by the server to an attacker. This may be the case even if the Web applications are not vulnerable to cross site scripting attacks due to input validation errors.
SOLUTION:
Solutions for some of the common Web servers are supplied below. For other Web servers, please check your vendor's documentation.
Apache: Recent Apache versions have a Rewrite module that allows HTTP requests to be rewritten or handled in a specific way. Compile the Apache server with the mod_rewrite module. You might need to uncomment the 'AddModule' and 'LoadModule' directives in the httpd.conf configuration file. Add the following lines for each virtualhost in your configuration file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</IfModule>
With this configuration, Apache catches all TRACE requests, and replies with a page reporting the request as forbidden. None of the original request's contents are echoed back.
A slightly tighter fix is to use:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]
</IfModule>
Microsoft IIS: Microsoft released URLScan, which can be used to screen all incoming requests based on customized rulesets. URLScan can be used to sanitize or disable the TRACE requests from the clients. Note that IIS aliases 'TRACK' to 'TRACE'. Therefore, if URLScan is used to specfically block the TRACE method, the TRACK method should also be added to the filter.
URLScan uses the 'urlscan.ini' configuration file, usually in \System32\InetSrv\URLScan directory. In that, we have two sections - AllowVerbs and DenyVerbs. The former is used if the UseAllowVerbs variable is set to 1, else (if its set to 0), the DenyVerbs are used. Clearly, either can be used, depending on whether we want a Default-Deny-Explicit-Allo
Sun ONE/iPlanet Web Server: Here are the sun recommandations to disable the trace method.
For more details about other web servers : Cert Advisory.
RESULT:
TRACE / HTTP/1.1
Host: XXX-XXX-XXX-XXX.internet.s
Via: <script>alert('QualysXSS')
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Fri, 13 Aug 2004 10:07:42 GMT
nnCoection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 13 Aug 2004 10:07:42 GMT
Content-Type: message/http
Content-Length: 100
TRACE / HTTP/1.1
Host: XXX-XXX-XXX-XXX.internet.s
Via: <script>alert('QualysXSS')
Thanks,
Justin
A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests to a Web server that supports this Trace method. Usually, browser security disallows access to Web sites outside of the present site's domain. Although unlikely and difficult to achieve, it's possible, in the presence of other browser vulnerabilities, for the active HTML content to make external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the client request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser automatically sent to the specified Web application on the specified Web server.
The significance of the Trace capability in this vulnerability is that the active component in the page visited by the victim user has no direct access to this authentication information, but gets it after the target Web server echoes it back as its Trace response.
Since this vulnerability exists as a support for a method required by the HTTP protocol specification, most common Web servers are vulnerable.
The exact method(s) supported, Trace and/or Track, and their responses are in the Results section below.
CONSEQUENCES:
If this vulnerability is successfully exploited, users of the Web server may lose their authentication credentials for the server and/or for the Web applications hosted by the server to an attacker. This may be the case even if the Web applications are not vulnerable to cross site scripting attacks due to input validation errors.
SOLUTION:
Solutions for some of the common Web servers are supplied below. For other Web servers, please check your vendor's documentation.
Apache: Recent Apache versions have a Rewrite module that allows HTTP requests to be rewritten or handled in a specific way. Compile the Apache server with the mod_rewrite module. You might need to uncomment the 'AddModule' and 'LoadModule' directives in the httpd.conf configuration file. Add the following lines for each virtualhost in your configuration file:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</IfModule>
With this configuration, Apache catches all TRACE requests, and replies with a page reporting the request as forbidden. None of the original request's contents are echoed back.
A slightly tighter fix is to use:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]
</IfModule>
Microsoft IIS: Microsoft released URLScan, which can be used to screen all incoming requests based on customized rulesets. URLScan can be used to sanitize or disable the TRACE requests from the clients. Note that IIS aliases 'TRACK' to 'TRACE'. Therefore, if URLScan is used to specfically block the TRACE method, the TRACK method should also be added to the filter.
URLScan uses the 'urlscan.ini' configuration file, usually in \System32\InetSrv\URLScan directory. In that, we have two sections - AllowVerbs and DenyVerbs. The former is used if the UseAllowVerbs variable is set to 1, else (if its set to 0), the DenyVerbs are used. Clearly, either can be used, depending on whether we want a Default-Deny-Explicit-Allo
Sun ONE/iPlanet Web Server: Here are the sun recommandations to disable the trace method.
For more details about other web servers : Cert Advisory.
RESULT:
TRACE / HTTP/1.1
Host: XXX-XXX-XXX-XXX.internet.s
Via: <script>alert('QualysXSS')
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Fri, 13 Aug 2004 10:07:42 GMT
nnCoection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 13 Aug 2004 10:07:42 GMT
Content-Type: message/http
Content-Length: 100
TRACE / HTTP/1.1
Host: XXX-XXX-XXX-XXX.internet.s
Via: <script>alert('QualysXSS')
It says that you can add a line
Disable TRACE
to the file httpd.cnf, but that it isn't supported. I don't know if it will work for your server version.
Disable TRACE
to the file httpd.cnf, but that it isn't supported. I don't know if it will work for your server version.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Atcually, isn't TRACE disabled by default on Domino? This seems odd. mAYBE IT CHANGED BETWEEN 5 AND 6, DUNNO.
http://www.bluestream.org/Domino/ConfigureHTTPDcnf.htm