Brain-Cluster.com Brain-Cluster.com is a free blogging website to share all sort of technical issue, article, How-to, latest news, etc.

4Sep/090

Disable HTTP TRACE / TRACK Methods for Oracle-HTTP-Server (Apache)

Disable HTTP TRACE / TRACK Methods for Oracle-HTTP-Server (Apache)

HTTP TRACE / TRACK Methods
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1594872495.html HTTP/1.1
Connection: Close
Host: 192.168.1.1
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Fri, 04 Sep 2009 06:27:29 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

TRACE /Nessus1594872495.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Close
Host: 10.118.1.39
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

------------------------------ snip ------------------------------

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485


How to disable HTTP TRACE / TRACK Methods

1. Modify C:\oracle\10gappr2\Apache\Apache\conf\httpd.conf (your installation location might be different) with the follow configuration.

### Add to under "Dynamic Shared Object (DSO) Support" ###

LoadModule rewrite_module modules/ApacheModuleRewrite.dll
AddModule mod_rewrite.c

### Append to end of the file ###

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]

2. Restart the Oracle10GAPPR2ProcessManager service or server

 

Comments (0) Trackbacks (0)

No comments yet.


No trackbacks yet.

%d bloggers like this: