Thursday Jun 11, 2009

how to disable directory listing in web 6.1SPx ?

If your security auditor said you need to disable the directory listing in your web 6.1SPx server, then you can do this in Admin GUI - Document Preferences - Directory Indexing - None. You can add an error response page too to send back when a request is asking for directory indexing.


The obj.conf will then look like below,


Service method="(GET|HEAD)" type="magnus-internal/directory" fn="send-error" path="/export/home/iws6.1sp9/docs/error.html"


then you can restart and take effect.


If you just comment out the default line below,


#Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"


Then the end-user will see a Method Not Allowed in the browser when they request a directory listing. They will not see the custom error page as above.







Tuesday Jun 24, 2008

How to disable TRACE method in Sun Java Web server and check this ?

For security reason, it is sometimes needed to disable TRACE method in Sun Java Web server, see


 http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1

 One common mistake is when you just cut and paste it into the telnet window for obj.conf,


"


              <Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>

 "


You must remove the spaces in front of <Client...> and  </Client>.


Also, the long line of  AuthTrans is ONE SINGLE line.


Then, you can restart and test it.


e.g. in my env,

<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
....



then cu can test to see TRACE is disabled, e.g.

apple:/export/home/iws6.1sp8/https-trace-1/config> telnet apple.asia 60012
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '\^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:31:35 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.



When we do not have the change above to disable TRACE, you will see below default response :

apple:/export/home/iws6.1sp7> telnet apple.asia 61701
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '\^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:33:50 GMT
Content-type: message/http
Transfer-encoding: chunked

0026
TRACE / HTTP/1.1
Host: apple.asia


0

I hope this above will help cu to check if their TRACE is disabled correctly after their change.


For SSL, you can test as follows:


 host40:/abc/web7u12/https-ssl> openssl s_client -quiet -connect  host40.abc.com:443
...
TRACE / HTTP/1.1
Host: host40.abc.com

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 30 Aug 2012 02:31:26 GMT
Content-type: message/http
Transfer-encoding: chunked

26
TRACE / HTTP/1.1
Host: host40.abc.com


0




About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today