Discussion:
Disable HTTP TRACE support
(too old to reply)
Josinaldo
2006-06-26 19:11:02 UTC
Permalink
Ola amigos!

Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
vulnerabilidade abaixo:

http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
HTTP server.

Description :
The remote webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK are HTTP methods which are used to debug web server
connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him
their credentials.

Solution :
Disable these methods.

See also :
http://www.kb.cert.org/vuls/id/867593

Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
only the methods needed to meet site requirements and policy.
CVE : CVE-2004-2320
BID : 9506, 9561, 11604


Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?

Atenciosamente,
Josinaldo
Guilherme Carnevale [MVP]
2006-06-27 00:32:02 UTC
Permalink
1) Baixe o URLScan e instale no seu servidor WEB.
http://www.microsoft.com/technet/security/tools/urlscan.mspx

Só isto, apos o URLScan instalado ele vai aceitar GET,POST .. e não vai
aceitar mais o "verbo" TRACE.
Caso queira customizar.
C:\winnt\system32\inetsrv\urlscan\urlscan.ini

Para IIS6 (windows 2003) tem chave de registro, mas como você esta com IIS5
apenas assim :)
No IIS6 vem desabilitado por padrão, para habilitar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\EnableTraceMethod

:-)
--
Guilherme Carnevale
MVP - Windows Shell/User
Post by Josinaldo
Ola amigos!
Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
HTTP server.
The remote webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK are HTTP methods which are used to debug web server
connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him
their credentials.
Disable these methods.
http://www.kb.cert.org/vuls/id/867593
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
only the methods needed to meet site requirements and policy.
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?
Atenciosamente,
Josinaldo
Rafael Harduim
2010-03-23 02:56:06 UTC
Permalink
Eu preciso saber se existe alguma outra forma de desabilitar o Trace Method
sem utilizar o URL Scan no IIS 5?

Eu não posso usar o IIS 5.

Grato,
Post by Guilherme Carnevale [MVP]
1) Baixe o URLScan e instale no seu servidor WEB.
http://www.microsoft.com/technet/security/tools/urlscan.mspx
Só isto, apos o URLScan instalado ele vai aceitar GET,POST .. e não vai
aceitar mais o "verbo" TRACE.
Caso queira customizar.
C:\winnt\system32\inetsrv\urlscan\urlscan.ini
Para IIS6 (windows 2003) tem chave de registro, mas como você esta com IIS5
apenas assim :)
No IIS6 vem desabilitado por padrão, para habilitar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\EnableTraceMethod
:-)
--
Guilherme Carnevale
MVP - Windows Shell/User
Post by Josinaldo
Ola amigos!
Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
HTTP server.
The remote webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK are HTTP methods which are used to debug web server
connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him
their credentials.
Disable these methods.
http://www.kb.cert.org/vuls/id/867593
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
only the methods needed to meet site requirements and policy.
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?
Atenciosamente,
Josinaldo
Rafael Harduim
2010-03-23 03:00:01 UTC
Permalink
Eu vi que tem como desabilitar sem utilizar o URL SCAN, mas eu não entendi
muito bem como fazer.

Onde eu devo fazer essas configurações?


Disable HTTP TRACE support

Based on site requirements and policy, consider disabling HTTP TRACE support
in web servers. As a best practice, we recommend limiting input
("whitelisting") to the minimum set of methods required for proper operation
of a given application.

Apache HTTP Server
To disable HTTP TRACE support, set TraceEnable Off.

Alternatively, use the Apache mod_rewrite module to deny HTTP TRACE requests
or to permit only the methods needed to meet site requirements and policy.
TRACE requests can be disabled with the following mod_rewrite syntax:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Disabling HTTP TRACE with the TraceEnable directive is simpler, more direct,
and requires less overhead than using mod_rewrite.


Muito obrigado
Post by Guilherme Carnevale [MVP]
1) Baixe o URLScan e instale no seu servidor WEB.
http://www.microsoft.com/technet/security/tools/urlscan.mspx
Só isto, apos o URLScan instalado ele vai aceitar GET,POST .. e não vai
aceitar mais o "verbo" TRACE.
Caso queira customizar.
C:\winnt\system32\inetsrv\urlscan\urlscan.ini
Para IIS6 (windows 2003) tem chave de registro, mas como você esta com IIS5
apenas assim :)
No IIS6 vem desabilitado por padrão, para habilitar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\EnableTraceMethod
:-)
--
Guilherme Carnevale
MVP - Windows Shell/User
Post by Josinaldo
Ola amigos!
Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
HTTP server.
The remote webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK are HTTP methods which are used to debug web server
connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him
their credentials.
Disable these methods.
http://www.kb.cert.org/vuls/id/867593
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
only the methods needed to meet site requirements and policy.
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?
Atenciosamente,
Josinaldo
Loading...