Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to disable the HTTP TRACE /TRACK method to remove this Website Vulnerabilities for IIS/Apache

Posted on 2009-04-03
18
Medium Priority
?
11,521 Views
Last Modified: 2012-05-06
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. The HTTP TRACE method, as described in RFC 2516 of the HTTP 1.1 standard, is used for debugging and network analysis purposes. When enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities, to obtain sensitive information about the Web server, including server cookies and authentication information. The attacker could then use this information to launch further attacks against the affected Web server
0
Comment
Question by:Brijeshk9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
18 Comments
 
LVL 21

Accepted Solution

by:
Julian Matz earned 1500 total points
ID: 24066062
I presume you have the latest stable release of Apache, in which case you should be able to use the following in your httpd.conf to turn this off:

TraceEnable off

Also, you might be interested in the Apache module, mod_security:

http://www.modsecurity.org/
0
 

Author Comment

by:Brijeshk9
ID: 24071441
and what to do with IIS 5 & 6.........?
0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24072142
You might find this interesting for IIS 4 and higer:

http://technet.microsoft.com/en-gb/security/cc242650.aspx
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:Brijeshk9
ID: 24083942
can anyone helpl me to provide the excat steps we need to perform on it in IIS/Apache..!
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 1500 total points
ID: 24084363
Sure.

For Apache:

1. Open up your Apache configuration.

2. Add following lines:

 RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

3. Save your configuration file.

4. Restart Apache.

For IIS:

 1. Download the Setup.exe file for UrlScan 2.5.
(Link: http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-9928-7f94ef1c902a&displaylang=en )

2. Double-click the Setup.exe icon.

3. Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

4. When the installer completes, the following message is displayed: "UrlScan has been successfully installed." Click OK to close the installer.

Note: according to US Detp. of Homeland Security, IIS 6 does not seem to be subject to the vulnerability.

http://www.kb.cert.org/vuls/id/288308
0
 

Author Comment

by:Brijeshk9
ID: 24084493
Thanks ,I  have installed the url scan 2.5 on my server(win 2k),is that enough or I need to do more with this url scan on my server running iis 5 to disable HTTP TRACE /TRACK method .
0
 

Author Comment

by:Brijeshk9
ID: 24084525
as per the url shared by you i got:one line in urlscan.ini ie:
UseAllowVerbs=1   ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section,so here i need to change the value form 1 to 0 or i need to replace this UseAllowVerbs with UseDenyVerbs...?
0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24089629
Set UseAllowVerbs to 1 and define your HTTP methods in AllowVerbs (UseAllowVerbs=1)

You should define the following methods:

HEAD, GET, POST

All other methods including TRACK will be denied using this configuration.
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 1500 total points
ID: 24089659
When UseAllowVerbs is set to 1, DenyVerbs will be ignored and any methods not defined in AllowVerbs will automatically get rejected.

On the other hand, if you want to ONLY deny the TRACK method, then you could set UseAllowVerbs to 0 and put TRACK into DenyVerbs. Using this configuration, all methods defined in AllowVerbs will be ignored.
0
 

Author Comment

by:Brijeshk9
ID: 24094173
Ok,i have chnaged the value ofUseAllowVerbs to 0 and i have some values given there in DenyVerbs
Please correct me if i have given the wrong entry for TRCE/TRACK.
FROM URLSCAN.INI
********************************************************************
[options]
UseAllowVerbs=0                ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0           ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1       ; if 1, canonicalize URL before processing
VerifyNormalization=1          ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0       ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0               ; if 1, allow dots that are not file extensions
RemoveServerHeader=0           ; if 1, remove "Server" header from response
EnableLogging=1                ; if 1, log UrlScan activity
PerProcessLogging=0            ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0            ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1                ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl=             ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0            ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
TRACK
TRACE
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
*********************************************************
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 1500 total points
ID: 24094186
That looks ok to me, but I would set UseAllowVerbs to '1' instead of '0' because then UrlScan will ONLY allow GET, HEAD and POST and deny everything else, including what you have in your [DenyVerbs] list.
0
 

Author Comment

by:Brijeshk9
ID: 24094758
but that is already configured in my IIS 5,and i am getting this tarck/tarce problem...!
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 1500 total points
ID: 24098157
Use the configuration you have posted above

UseAllowVerbs=0

TRACK/TRACE should then get blocked.
0
 

Author Comment

by:Brijeshk9
ID: 24138435
ok,Thanks,let me try it..!
0
 

Author Comment

by:Brijeshk9
ID: 24201015
yes its working now,now I want to put a page/URL for all the rejected requests by URL scan: "/<Rejected-By-UrlScan>"
can we do it..!
0
 

Author Comment

by:Brijeshk9
ID: 24447941
any suggestion...!
0
 

Author Closing Comment

by:Brijeshk9
ID: 31566350
Thank you
0
 

Expert Comment

by:baberamin
ID: 27723794
Hi,

I'm using Tomcat 5.5.23 and I'm not able to fine httpd.conf file. Please help.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question