Friday Jan 16, 2009

How to disable other methods in web server 6 ?

Sometimes, if you like/need to disable other methods which you do not need in web 6.1SPx, then you can add this into default object inside obj.conf,

in 6.1 web (for 7.0, please see comments below by Meena), you need to add

<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"

set-headers="content-length: -1" error="501"
</Client>

(NOTE - all in ONE single line for <Client method ...> and AuthTrans... above!
You saw wrapping above because of formatting in tools/browsers !)

as below :

apple:/export/home/iws6.1sp10/https-methods/config> cat obj.conf
# You can edit this file, but comments and formatting changes
# might be lost when the admin server makes changes.

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
<Client method=("INDEX"|"OPTIONS"|"DELETE"|"PUT"|"MOVE"|"TRACE"|"INDEX"|"MKDIR"|"RMDIR")>
AuthTrans fn="set-variable" remove-headers="transfer-encoding"

set-headers="content-length: -1" error="501"
</Client>
....

then restart and will work ok.

2. tests:

a. INDEX :

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
INDEX / HTTP/1.1
Host: apple

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:34 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.

b. OPTIONS :

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
OPTIONS /banner.html HTTP/1.1
Host: apple

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:56:58 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>

c. TRACE method:

apple:/export/home/iws6.1sp10/https-methods/config> telnet apple 60106
Trying 129.158.175.16...
Connected to apple.
Escape character is '\^]'.
TRACE /index.html HTTP/1.1
Host: apple
X-header: test

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 16 Jan 2009 05:57:32 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
apple:/export/home/iws6.1sp10/https-methods/config>

3. Some may like to set up ACL, but there is still a chance for hackers to use above methods

if they discover the ACL uid/password.

So, if the above methods are not needed, then better disable them as above.

4. you can see a list of methods at

http://www.ietf.org/rfc/rfc2616.txt

e.g. section 9 Method Definitions

 


 

About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today