Solved

How to disable the HTTP TRACE /TRACK method to remove this Website Vulnerabilities for IIS/Apache

Posted on 2009-04-03
18
10,475 Views
Last Modified: 2012-05-06
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. The HTTP TRACE method, as described in RFC 2516 of the HTTP 1.1 standard, is used for debugging and network analysis purposes. When enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities, to obtain sensitive information about the Web server, including server cookies and authentication information. The attacker could then use this information to launch further attacks against the affected Web server
0
Comment
Question by:Brijeshk9
  • 10
  • 7
18 Comments
 
LVL 21

Accepted Solution

by:
Julian Matz earned 500 total points
ID: 24066062
I presume you have the latest stable release of Apache, in which case you should be able to use the following in your httpd.conf to turn this off:

TraceEnable off

Also, you might be interested in the Apache module, mod_security:

http://www.modsecurity.org/
0
 

Author Comment

by:Brijeshk9
ID: 24071441
and what to do with IIS 5 & 6.........?
0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24072142
You might find this interesting for IIS 4 and higer:

http://technet.microsoft.com/en-gb/security/cc242650.aspx
0
 

Author Comment

by:Brijeshk9
ID: 24083942
can anyone helpl me to provide the excat steps we need to perform on it in IIS/Apache..!
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24084363
Sure.

For Apache:

1. Open up your Apache configuration.

2. Add following lines:

 RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

3. Save your configuration file.

4. Restart Apache.

For IIS:

 1. Download the Setup.exe file for UrlScan 2.5.
(Link: http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-9928-7f94ef1c902a&displaylang=en )

2. Double-click the Setup.exe icon.

3. Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

4. When the installer completes, the following message is displayed: "UrlScan has been successfully installed." Click OK to close the installer.

Note: according to US Detp. of Homeland Security, IIS 6 does not seem to be subject to the vulnerability.

http://www.kb.cert.org/vuls/id/288308
0
 

Author Comment

by:Brijeshk9
ID: 24084493
Thanks ,I  have installed the url scan 2.5 on my server(win 2k),is that enough or I need to do more with this url scan on my server running iis 5 to disable HTTP TRACE /TRACK method .
0
 

Author Comment

by:Brijeshk9
ID: 24084525
as per the url shared by you i got:one line in urlscan.ini ie:
UseAllowVerbs=1   ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section,so here i need to change the value form 1 to 0 or i need to replace this UseAllowVerbs with UseDenyVerbs...?
0
 
LVL 21

Expert Comment

by:Julian Matz
ID: 24089629
Set UseAllowVerbs to 1 and define your HTTP methods in AllowVerbs (UseAllowVerbs=1)

You should define the following methods:

HEAD, GET, POST

All other methods including TRACK will be denied using this configuration.
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24089659
When UseAllowVerbs is set to 1, DenyVerbs will be ignored and any methods not defined in AllowVerbs will automatically get rejected.

On the other hand, if you want to ONLY deny the TRACK method, then you could set UseAllowVerbs to 0 and put TRACK into DenyVerbs. Using this configuration, all methods defined in AllowVerbs will be ignored.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Brijeshk9
ID: 24094173
Ok,i have chnaged the value ofUseAllowVerbs to 0 and i have some values given there in DenyVerbs
Please correct me if i have given the wrong entry for TRCE/TRACK.
FROM URLSCAN.INI
********************************************************************
[options]
UseAllowVerbs=0                ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0           ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1       ; if 1, canonicalize URL before processing
VerifyNormalization=1          ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0       ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0               ; if 1, allow dots that are not file extensions
RemoveServerHeader=0           ; if 1, remove "Server" header from response
EnableLogging=1                ; if 1, log UrlScan activity
PerProcessLogging=0            ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0            ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1                ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl=             ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0            ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
TRACK
TRACE
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
*********************************************************
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24094186
That looks ok to me, but I would set UseAllowVerbs to '1' instead of '0' because then UrlScan will ONLY allow GET, HEAD and POST and deny everything else, including what you have in your [DenyVerbs] list.
0
 

Author Comment

by:Brijeshk9
ID: 24094758
but that is already configured in my IIS 5,and i am getting this tarck/tarce problem...!
0
 
LVL 21

Assisted Solution

by:Julian Matz
Julian Matz earned 500 total points
ID: 24098157
Use the configuration you have posted above

UseAllowVerbs=0

TRACK/TRACE should then get blocked.
0
 

Author Comment

by:Brijeshk9
ID: 24138435
ok,Thanks,let me try it..!
0
 

Author Comment

by:Brijeshk9
ID: 24201015
yes its working now,now I want to put a page/URL for all the rejected requests by URL scan: "/<Rejected-By-UrlScan>"
can we do it..!
0
 

Author Comment

by:Brijeshk9
ID: 24447941
any suggestion...!
0
 

Author Closing Comment

by:Brijeshk9
ID: 31566350
Thank you
0
 

Expert Comment

by:baberamin
ID: 27723794
Hi,

I'm using Tomcat 5.5.23 and I'm not able to fine httpd.conf file. Please help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now