X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • October 29, 2006

Disabling TRACE in Sun Java System Web Server 7.0

Disabling TRACE in Sun Java System Web Server 7.0


In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1, comment the TRACE service in obj.conf.

#Service method="TRACE" fn="service-trace"


For releases prior to Sun ONE Web Server 6.1:


<Client method="TRACE">

AuthTrans fn="set-variable"

         remove-headers="transfer-encoding"

         set-headers="content-length: -1"

         error="501"

</Client>


It is a perception that Sun Java System Web Server (Web Server) is somehow vulnerable with these methods.

These methods (except for TRACE) are NOT enabled by default in the Web Server. The fact that OPTIONS request lists these methods doesn't mean they could be exploited.


Web Server responds to the HTTP OPTIONS method by reporting the methods understood. It should be noted that indication that a method is understood, however, is no guarantee that a method is permitted or will be executed.


By default Web Server blocks all "privileged" HTTP methods behind the Access Control Lists (ACL) system. Attempts to invoke the methods will be responded to with an HTTP 401 error code (Unauthorized) requesting credentials from the User-Agent. If valid credentials are provided, or if the default ACL is disabled, Web Server will respond with an HTTP 405 error code (Method Not Allowed).


You can also set it as the first ACE in the default.acl :

deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir)
user="anyone";

Related Links :

Join the discussion

Comments ( 14 )
  • chenlingreen Wednesday, April 23, 2008

    When I add

    <Client method="TRACE">

    AuthTrans fn="set-variable"

    remove-headers="transfer-encoding"

    set-headers="content-length: -1"

    error="501"

    </Client>

    for our iplanet server.It don't disable trace when I use http 1.1 to send request.For example:

    Trace /HTTP/1.1

    host:www.xxxxxxx.com

    a:ssss

    The server response 413 instead of 501.

    So how do i disable http1.1 request.It is confused


  • meena Monday, June 2, 2008

    Try "TRACE" rather than "Trace". HTTP/1.1 RFC says : http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1

    "The method is case-sensitive."

    Also there should a space between uri "/" and protocol "HTTP/1.1"

    I get 501 in both the cases.


  • Ajay Wednesday, August 13, 2008

    I am running iplanet ver 6.0 SP5 . I tried with "obj.conf" & "acl" too but no luck.

    telnet www.mysitename.com 80

    TRACE / HTTP/1.1

    Host: mysitename.com

    Via: <script>alert('QualysXSS');</script>

    The response is of the form:

    HTTP/1.1 200 OK

    Server: Netscape-Enterprise/6.0

    Date: Tue, 12 Aug 2008 19:15:14 GMT

    Content-length: 83

    Content-type: message/http

    TRACE / HTTP/1.1

    Host: mysitename.com

    Via: <script>alert('QualysXSS');</script>

    Any suggestion ?


  • meena Thursday, August 14, 2008

    Yes I searched for all files with obj.conf in <ws-install-dir>/https-<instance-name>/config/ and deleted all lines that had TRACE in it.

    When I send a request :

    TRACE / HTTP/1.1

    Host: mysitename.com

    Via: <script>alert('QualysXSS');</script>

    I get :

    HTTP/1.1 405 Method Not Allowed

    Server: Sun-Java-System-Web-Server/7.0

    Date: Thu, 14 Aug 2008 07:09:53 GMT

    Allow: HEAD, GET

    Content-length: 147

    Content-type: text/html

    <HTML><HEAD><TITLE>Method Not Allowed</TITLE></HEAD>

    <BODY><H1>Method Not Allowed</H1>

    The server is unable to process your request.

    </BODY></HTML>

    BTW you can try my blogs Intrusion Detection http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java

    and http://blogs.sun.com/meena/entry/cross_site_scripting_prevention_in

    P/S If you are using Web Server 6.0 please migrate to the latest Web Server 7.0 update 3 http://sun.systemnews.com/go/2?a=20248&l=http%3A%2F%2Ftinyurl.com%2F4l7yed

    For any questions please write to http://forums.sun.com/forum.jspa?forumID=759


  • ana Tuesday, April 6, 2010

    We are running 6.1sp8. We have removed the, Service method="TRACE" fn="service-trace" from our obj.conf file. Would it be equivalent to commenting it out ? Or do I have to place it back by commenting it out ?


  • meena Wednesday, April 7, 2010

    Removing the line or commenting it out are the same.

    Please ask questions in forum :

    http://forums.sun.com/forum.jspa?forumID=759


  • guest Thursday, October 6, 2011

    I have couple of questions

    1-

    In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1,

    comment the TRACE service in obj.conf:

    #Service method="TRACE" fn="service-trace"

    While in the obj.conf there is no Service method="TRACE" to comment in the first place

    I have rather the following

    <Client method="(OPTIONS|TRACE|DELETE|PUT|MOVE|INDEX|MKDIR|RMDIR)">

    I am not sure if what to do here Should I delete the word TRACE in the Line above?

    2-I have 61so9

    so the following is out of scoop right?

    For releases prior to Sun ONE Web Server 6.1, add the following in

    obj.conf:

    <Client method="TRACE">

    AuthTrans fn="set-variable"

    remove-headers="transfer-encoding"

    set-headers="content-length: -1"

    error="501"

    3- how to test if my changes works or not?

    Thank you,


  • Meena Wednesday, October 12, 2011

    1. Depends on what is below the line

    <Client method="(OPTIONS|TRACE|DELETE|PUT|MOVE|INDEX|MKDIR|RMDIR)">

    2. and 3. Refer Walter's blog http://blogs.oracle.com/walter/entry/how_to_disable_trace_method


  • Chris Monday, April 23, 2012

    Hi,

    How to disable directory listing on Sun ONE Web Server 6.1?

    Where to put <Client method="(OPTIONS|TRACE|DELETE|PUT|MOVE|INDEX|MKDIR|RMDIR)"> on obj.conf and deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone"; on acl file?

    Thank you.


  • Meena Monday, April 23, 2012

    <Client> tags can be placed anywhere.

    In default.acl file, in the ACL named "default" add it this ACE the first place :

    version 3.0;

    acl "default";

    authenticate (user, group) {

    prompt = "Oracle iPlanet Web Server";

    };

    deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone";

    allow (read, execute, info) user = "anyone";

    allow (list, write, delete) user = "all";


  • guest Tuesday, April 24, 2012

    Is this how to solve the problems:

    1. How to block the directory listing

    2. How to disable https methods like OPTIONS TRACE TRACK etc?

    and

    why do we have two acl files?

    generated.https-gmlid.acl

    genwork.https-gmlid.acl


  • guest Wednesday, July 11, 2012

    For some reason none of these settings are working for me. I am running iplanet 7u13 on a SPARC T3. My server is strictly on port 443 so I am testing like this:

    telnet 10.10.11.113 443

    Trying 10.10.11.113...

    Connected to 10.10.11.113.

    Escape character is '^]'.

    TRACE / HTTPS/1.1

    HTTP/1.1 302 Moved Temporarily

    Date: Wed, 11 Jul 2012 19:35:06 GMT

    Location: https://webtest:443/

    Content-length: 0

    Connection: close

    From my hostname-obj.conf:

    <Object name="default">

    <Client method="TRACE">

    AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"

    </Client>

    Also tried commenting out:

    Service method="TRACE" fn="service-trace"

    The ACL setting is a no go either. Any ideas?

    Thanks


  • Meena Friday, July 13, 2012

    You can not send SSL requests via telnet. NON SSL request is getting redirected to SSL URL. Its not serving TRACE request.


  • Meena Friday, July 13, 2012

    1) Directory listing is disabled by default in Web Server 7.0. Refer my blog

    https://blogs.oracle.com/meena/entry/directory_listing_in_sun_java

    2) About the question : How to disable https methods like OPTIONS TRACE TRACK etc.?

    Comment out those functions from all *obj.confs and add ACLs. Also you can set ACLs deny (http_options) ... just to be double sure.

    3) About the question "Why do we have two acl files? generated.https-*.acl genwork.https-*.acl"

    Refer http://docs.oracle.com/cd/E19857-01/820-5704/bhazk/index.html

    It says "After installation, the

    server_root/httpacl/generated.https-serverid.acl file provided default settings

    for the server. The server uses the working file genwork.https-serverid.acl

    until you create settings in the user interface. When editing an ACL file, you

    could make changes in the genwork file, then save and apply the changes using

    Sun Java System Web Server."


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.