Solved

How to disable the HTTP TRACE /TRACK method to remove this Website Vulnerabilities for IIS/Apache

Posted on 2009-04-03
18
10,308 Views
Last Modified: 2012-05-06
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. The HTTP TRACE method, as described in RFC 2516 of the HTTP 1.1 standard, is used for debugging and network analysis purposes. When enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities, to obtain sensitive information about the Web server, including server cookies and authentication information. The attacker could then use this information to launch further attacks against the affected Web server
0
Comment
Question by:Brijeshk9
  • 10
  • 7
18 Comments
 
LVL 21

Accepted Solution

by:
Julian Matz earned 500 total points
ID: 24066062
I presume you have the latest stable release of Apache, in which case you should be able to use the following in your httpd.conf to turn this off:

TraceEnable off

Also, you might be interested in the Apache module, mod_security:

http://www.modsecurity.org/
0
 

Author Comment

by:Brijeshk9
ID: 24071441
and what to do with IIS 5 & 6.........?
0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24072142
You might find this interesting for IIS 4 and higer:

http://technet.microsoft.com/en-gb/security/cc242650.aspx
0
 

Author Comment

by:Brijeshk9
ID: 24083942
can anyone helpl me to provide the excat steps we need to perform on it in IIS/Apache..!
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24084363
Sure.

For Apache:

1. Open up your Apache configuration.

2. Add following lines:

 RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

3. Save your configuration file.

4. Restart Apache.

For IIS:

 1. Download the Setup.exe file for UrlScan 2.5.
(Link: http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-9928-7f94ef1c902a&displaylang=en )

2. Double-click the Setup.exe icon.

3. Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

4. When the installer completes, the following message is displayed: "UrlScan has been successfully installed." Click OK to close the installer.

Note: according to US Detp. of Homeland Security, IIS 6 does not seem to be subject to the vulnerability.

http://www.kb.cert.org/vuls/id/288308
0
 

Author Comment

by:Brijeshk9
ID: 24084493
Thanks ,I  have installed the url scan 2.5 on my server(win 2k),is that enough or I need to do more with this url scan on my server running iis 5 to disable HTTP TRACE /TRACK method .
0
 

Author Comment

by:Brijeshk9
ID: 24084525
as per the url shared by you i got:one line in urlscan.ini ie:
UseAllowVerbs=1   ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section,so here i need to change the value form 1 to 0 or i need to replace this UseAllowVerbs with UseDenyVerbs...?
0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24089629
Set UseAllowVerbs to 1 and define your HTTP methods in AllowVerbs (UseAllowVerbs=1)

You should define the following methods:

HEAD, GET, POST

All other methods including TRACK will be denied using this configuration.
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24089659
When UseAllowVerbs is set to 1, DenyVerbs will be ignored and any methods not defined in AllowVerbs will automatically get rejected.

On the other hand, if you want to ONLY deny the TRACK method, then you could set UseAllowVerbs to 0 and put TRACK into DenyVerbs. Using this configuration, all methods defined in AllowVerbs will be ignored.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Brijeshk9
ID: 24094173
Ok,i have chnaged the value ofUseAllowVerbs to 0 and i have some values given there in DenyVerbs
Please correct me if i have given the wrong entry for TRCE/TRACK.
FROM URLSCAN.INI
********************************************************************
[options]
UseAllowVerbs=0                ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0           ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1       ; if 1, canonicalize URL before processing
VerifyNormalization=1          ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0       ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0               ; if 1, allow dots that are not file extensions
RemoveServerHeader=0           ; if 1, remove "Server" header from response
EnableLogging=1                ; if 1, log UrlScan activity
PerProcessLogging=0            ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0            ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1                ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl=             ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0            ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
TRACK
TRACE
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
*********************************************************
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24094186
That looks ok to me, but I would set UseAllowVerbs to '1' instead of '0' because then UrlScan will ONLY allow GET, HEAD and POST and deny everything else, including what you have in your [DenyVerbs] list.
0
 

Author Comment

by:Brijeshk9
ID: 24094758
but that is already configured in my IIS 5,and i am getting this tarck/tarce problem...!
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24098157
Use the configuration you have posted above

UseAllowVerbs=0

TRACK/TRACE should then get blocked.
0
 

Author Comment

by:Brijeshk9
ID: 24138435
ok,Thanks,let me try it..!
0
 

Author Comment

by:Brijeshk9
ID: 24201015
yes its working now,now I want to put a page/URL for all the rejected requests by URL scan: "/<Rejected-By-UrlScan>"
can we do it..!
0
 

Author Comment

by:Brijeshk9
ID: 24447941
any suggestion...!
0
 

Author Closing Comment

by:Brijeshk9
ID: 31566350
Thank you
0
 

Expert Comment

by:baberamin
ID: 27723794
Hi,

I'm using Tomcat 5.5.23 and I'm not able to fine httpd.conf file. Please help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Join & Write a Comment

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now