Disabling TRACE in Sun Java System Web Server 7.0

Disabling TRACE in Sun Java System Web Server 7.0

In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1, comment the TRACE service in obj.conf.
#Service method="TRACE" fn="service-trace"

For releases prior to Sun ONE Web Server 6.1:

<Client method="TRACE">
AuthTrans fn="set-variable"
         remove-headers="transfer-encoding"
         set-headers="content-length: -1"
         error="501"
</Client>

It is a perception that Sun Java System Web Server (Web Server) is somehow vulnerable with these methods.
These methods (except for TRACE) are NOT enabled by default in the Web Server. The fact that OPTIONS request lists these methods doesn't mean they could be exploited.

Web Server responds to the HTTP OPTIONS method by reporting the methods understood. It should be noted that indication that a method is understood, however, is no guarantee that a method is permitted or will be executed.

By default Web Server blocks all "privileged" HTTP methods behind the Access Control Lists (ACL) system. Attempts to invoke the methods will be responded to with an HTTP 401 error code (Unauthorized) requesting credentials from the User-Agent. If valid credentials are provided, or if the default ACL is disabled, Web Server will respond with an HTTP 405 error code (Method Not Allowed).

You can also set it as the first ACE in the default.acl :
deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone";
Related Links :
Comments:

When I add
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

for our iplanet server.It don't disable trace when I use http 1.1 to send request.For example:

Trace /HTTP/1.1
host:www.xxxxxxx.com
a:ssss

The server response 413 instead of 501.

So how do i disable http1.1 request.It is confused

Posted by chenlingreen on April 24, 2008 at 01:23 AM IST #

Try "TRACE" rather than "Trace". HTTP/1.1 RFC says : http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
"The method is case-sensitive."

Also there should a space between uri "/" and protocol "HTTP/1.1"
I get 501 in both the cases.

Posted by meena on June 02, 2008 at 11:07 AM IST #

I am running iplanet ver 6.0 SP5 . I tried with "obj.conf" & "acl" too but no luck.

telnet www.mysitename.com 80
TRACE / HTTP/1.1
Host: mysitename.com
Via: <script>alert('QualysXSS');</script>

The response is of the form:

HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Tue, 12 Aug 2008 19:15:14 GMT
Content-length: 83
Content-type: message/http

TRACE / HTTP/1.1
Host: mysitename.com
Via: <script>alert('QualysXSS');</script>

Any suggestion ?

Posted by Ajay on August 13, 2008 at 02:50 PM IST #

Yes I searched for all files with obj.conf in <ws-install-dir>/https-<instance-name>/config/ and deleted all lines that had TRACE in it.

When I send a request :
TRACE / HTTP/1.1
Host: mysitename.com
Via: <script>alert('QualysXSS');</script>

I get :
HTTP/1.1 405 Method Not Allowed
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 14 Aug 2008 07:09:53 GMT
Allow: HEAD, GET
Content-length: 147
Content-type: text/html

<HTML><HEAD><TITLE>Method Not Allowed</TITLE></HEAD>
<BODY><H1>Method Not Allowed</H1>
The server is unable to process your request.
</BODY></HTML>

BTW you can try my blogs Intrusion Detection http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
and http://blogs.sun.com/meena/entry/cross_site_scripting_prevention_in

P/S If you are using Web Server 6.0 please migrate to the latest Web Server 7.0 update 3 http://sun.systemnews.com/go/2?a=20248&l=http%3A%2F%2Ftinyurl.com%2F4l7yed

For any questions please write to http://forums.sun.com/forum.jspa?forumID=759

Posted by meena on August 14, 2008 at 05:48 AM IST #

We are running 6.1sp8. We have removed the, Service method="TRACE" fn="service-trace" from our obj.conf file. Would it be equivalent to commenting it out ? Or do I have to place it back by commenting it out ?

Posted by ana on April 06, 2010 at 07:21 PM IST #

Removing the line or commenting it out are the same.

Please ask questions in forum :
http://forums.sun.com/forum.jspa?forumID=759

Posted by meena on April 07, 2010 at 07:49 AM IST #

I have couple of questions

1- In Sun Java System Web Server 7.0 or Sun ONE Web Server 6.1,
comment the TRACE service in obj.conf:
#Service method="TRACE" fn="service-trace"

While in the obj.conf there is no Service method="TRACE" to comment in the first place
I have rather the following

<Client method="(OPTIONS|TRACE|DELETE|PUT|MOVE|INDEX|MKDIR|RMDIR)">
I am not sure if what to do here Should I delete the word TRACE in the Line above?

2-I have 61so9
so the following is out of scoop right? For releases prior to Sun ONE Web Server 6.1, add the following in
obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"

3- how to test if my changes works or not?

Thank you,

Posted by guest on October 06, 2011 at 07:51 PM IST #

1. Depends on what is below the line
<Client method="(OPTIONS|TRACE|DELETE|PUT|MOVE|INDEX|MKDIR|RMDIR)">

2. and 3. Refer Walter's blog http://blogs.oracle.com/walter/entry/how_to_disable_trace_method

Posted by Meena on October 12, 2011 at 10:04 AM IST #

Hi,

How to disable directory listing on Sun ONE Web Server 6.1?

Where to put <Client method="(OPTIONS|TRACE|DELETE|PUT|MOVE|INDEX|MKDIR|RMDIR)"> on obj.conf and deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone"; on acl file?

Thank you.

Posted by Chris on April 23, 2012 at 10:30 AM IST #

<Client> tags can be placed anywhere.

In default.acl file, in the ACL named "default" add it this ACE the first place :
version 3.0;
acl "default";
authenticate (user, group) {
prompt = "Oracle iPlanet Web Server";
};
deny absolute (http_trace, http_put, http_delete, http_move, http_mkdir, http_rmdir) user="anyone";
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";

Posted by Meena on April 23, 2012 at 05:49 PM IST #

Is this how to solve the problems:

1. How to block the directory listing
2. How to disable https methods like OPTIONS TRACE TRACK etc?

and

why do we have two acl files?

generated.https-gmlid.acl
genwork.https-gmlid.acl

Posted by guest on April 24, 2012 at 11:58 AM IST #

For some reason none of these settings are working for me. I am running iplanet 7u13 on a SPARC T3. My server is strictly on port 443 so I am testing like this:

telnet 10.10.11.113 443
Trying 10.10.11.113...
Connected to 10.10.11.113.
Escape character is '^]'.
TRACE / HTTPS/1.1
HTTP/1.1 302 Moved Temporarily
Date: Wed, 11 Jul 2012 19:35:06 GMT
Location: https://webtest:443/
Content-length: 0
Connection: close

From my hostname-obj.conf:
<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>

Also tried commenting out:
Service method="TRACE" fn="service-trace"

The ACL setting is a no go either. Any ideas?

Thanks

Posted by guest on July 12, 2012 at 01:12 AM IST #

You can not send SSL requests via telnet. NON SSL request is getting redirected to SSL URL. Its not serving TRACE request.

Posted by Meena on July 13, 2012 at 12:55 PM IST #

1) Directory listing is disabled by default in Web Server 7.0. Refer my blog
https://blogs.oracle.com/meena/entry/directory_listing_in_sun_java

2) About the question : How to disable https methods like OPTIONS TRACE TRACK etc.?
Comment out those functions from all *obj.confs and add ACLs. Also you can set ACLs deny (http_options) ... just to be double sure.

3) About the question "Why do we have two acl files? generated.https-*.acl genwork.https-*.acl"

Refer http://docs.oracle.com/cd/E19857-01/820-5704/bhazk/index.html
It says "After installation, the
server_root/httpacl/generated.https-serverid.acl file provided default settings
for the server. The server uses the working file genwork.https-serverid.acl
until you create settings in the user interface. When editing an ACL file, you
could make changes in the genwork file, then save and apply the changes using
Sun Java System Web Server."

Posted by Meena on July 13, 2012 at 01:15 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today