Tuesday Jul 29, 2008

Two Sun Alerts for Search in Sun Java Web server

There are two such Sun Alerts for XSS, one is for Search and the other is for Advanced Search.


 You can see Search like below:


search



and Advanced Search as follows:


Advanced Search


You can see the Sun Alerts at


http://sunsolve.sun.com/search/document.do?assetkey=1-66-231467-1


and


http://sunsolve.sun.com/search/document.do?assetkey=1-66-236481-1


The best is to upgrade to the latest SPs as listed in above Sun Alerts.


In case you cannot upgrade right now, and need to do the workarounds for now (then upgrade later), then please remember to do workarounds for BOTH Sun Alerts, e.g.


for Search,



4. Workaround



To work around the described issue, edit the default search web
application file named "index.jsp" which is located at
"<WS-install>/lib/webapps/search/index.jsp" to remove the line containing the text
"out.println(s);".



"


and for Advanced Search,


"


4. Workaround


The following file can be edited to workaround this issue:


<install
root>/bin/https/webapps/search/advanced.jsp

by removing the following lines:

<input type=hidden name="next"
value="<%=rquest.getParameter("next";)%>">

"out.println(s);"


"

 I saw some only do one, but not the other. So, try to write this here , so you know you need to do BOTH Sun Alerts.

Tuesday Jun 24, 2008

How to disable TRACE method in Sun Java Web server and check this ?

For security reason, it is sometimes needed to disable TRACE method in Sun Java Web server, see


 http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1

 One common mistake is when you just cut and paste it into the telnet window for obj.conf,


"


              <Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>

 "


You must remove the spaces in front of <Client...> and  </Client>.


Also, the long line of  AuthTrans is ONE SINGLE line.


Then, you can restart and test it.


e.g. in my env,

<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
....



then cu can test to see TRACE is disabled, e.g.

apple:/export/home/iws6.1sp8/https-trace-1/config> telnet apple.asia 60012
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '\^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:31:35 GMT
Content-length: 148
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.



When we do not have the change above to disable TRACE, you will see below default response :

apple:/export/home/iws6.1sp7> telnet apple.asia 61701
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '\^]'.
TRACE / HTTP/1.1
Host: apple.asia

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:33:50 GMT
Content-type: message/http
Transfer-encoding: chunked

0026
TRACE / HTTP/1.1
Host: apple.asia


0

I hope this above will help cu to check if their TRACE is disabled correctly after their change.


For SSL, you can test as follows:


 host40:/abc/web7u12/https-ssl> openssl s_client -quiet -connect  host40.abc.com:443
...
TRACE / HTTP/1.1
Host: host40.abc.com

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 30 Aug 2012 02:31:26 GMT
Content-type: message/http
Transfer-encoding: chunked

26
TRACE / HTTP/1.1
Host: host40.abc.com


0




About

Wing-Yip Walter Lee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today