We help IT Professionals succeed at work.

How to disable the HTTP TRACE /TRACK method to remove this Website Vulnerabilities for IIS/Apache

15,571 Views
Last Modified: 2012-05-06
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. The HTTP TRACE method, as described in RFC 2516 of the HTTP 1.1 standard, is used for debugging and network analysis purposes. When enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities, to obtain sensitive information about the Web server, including server cookies and authentication information. The attacker could then use this information to launch further attacks against the affected Web server
Comment
Watch Question

Technical Support
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
and what to do with IIS 5 & 6.........?
Julian MatzTechnical Support
Top Expert 2005

Commented:
You might find this interesting for IIS 4 and higer:

http://technet.microsoft.com/en-gb/security/cc242650.aspx

Author

Commented:
can anyone helpl me to provide the excat steps we need to perform on it in IIS/Apache..!
Julian MatzTechnical Support
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks ,I  have installed the url scan 2.5 on my server(win 2k),is that enough or I need to do more with this url scan on my server running iis 5 to disable HTTP TRACE /TRACK method .

Author

Commented:
as per the url shared by you i got:one line in urlscan.ini ie:
UseAllowVerbs=1   ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section,so here i need to change the value form 1 to 0 or i need to replace this UseAllowVerbs with UseDenyVerbs...?
Julian MatzTechnical Support
Top Expert 2005

Commented:
Set UseAllowVerbs to 1 and define your HTTP methods in AllowVerbs (UseAllowVerbs=1)

You should define the following methods:

HEAD, GET, POST

All other methods including TRACK will be denied using this configuration.
Julian MatzTechnical Support
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok,i have chnaged the value ofUseAllowVerbs to 0 and i have some values given there in DenyVerbs
Please correct me if i have given the wrong entry for TRCE/TRACK.
FROM URLSCAN.INI
********************************************************************
[options]
UseAllowVerbs=0                ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0           ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1       ; if 1, canonicalize URL before processing
VerifyNormalization=1          ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0       ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0               ; if 1, allow dots that are not file extensions
RemoveServerHeader=0           ; if 1, remove "Server" header from response
EnableLogging=1                ; if 1, log UrlScan activity
PerProcessLogging=0            ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0            ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1                ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl=             ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0            ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
TRACK
TRACE
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
*********************************************************
Julian MatzTechnical Support
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
but that is already configured in my IIS 5,and i am getting this tarck/tarce problem...!
Julian MatzTechnical Support
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
ok,Thanks,let me try it..!

Author

Commented:
yes its working now,now I want to put a page/URL for all the rejected requests by URL scan: "/<Rejected-By-UrlScan>"
can we do it..!

Author

Commented:
any suggestion...!

Author

Commented:
Thank you
Hi,

I'm using Tomcat 5.5.23 and I'm not able to fine httpd.conf file. Please help.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.