Note: This is an archival copy of Security Sun Alert 200171 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000125.1.
Article ID : 1000125.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun ONE/iPlanet Web Server Enable HTTP TRACE Method by Default



Category
Security

Release Phase
Resolved

Bug Id
4808654

Date of Resolved Release
11-FEB-2003

CERT Vulnerability VU867593 ... see below:

Impact

CERT Vulnerability VU867593 describes a techique to abuse the HTTP TRACE functionality to gain access to information in HTTP headers. This technique may be used to access sensitive information in HTTP headers using the HTTP TRACE method when making HTTP requests to Sun ONE/iPlanet Web Servers.

This issue is described in the CERT Vulnerability VU#867593 (see http://www.kb.cert.org/vuls/id/867593).

Note 1: HTTP TRACE, which is part of the HTTP 1.1 standard and described in RFC 2616, is enabled by default on Sun ONE/iPlanet Web Servers.

Note 2: Sun ONE/iPlanet Web Servers could be used as an agent to exploit this issue.


Contributing Factors

This issue can occur in the following releases:

  • Sun ONE/iPlanet Web Server 4.1 and all Service Packs
  • Sun ONE/iPlanet Web Server 6.0 and all Service Packs
  • Sun ONE/iPlanet Web Server 6.1 and all Service Packs
  • Sun Java System Web Server 7.0 and later

For supported architectures and OS versions see: http://wwws.sun.com/software/download/download/5292.html.


Symptoms

There are no predictable symptoms that would show the described issue has been exploited.


Workaround

The described issue is not a defect of the Sun ONE/iPlanet Web Server. However, the following recommendation is provided to avoid this issue.

Disable HTTP TRACE support for SunONE/iPlanet Web Server 4.1 and 6.0 as follows:

  • Sun ONE Web Server releases 6.0 Servic Pack 2 and later and 6.1 and 7.0 and later :
	Add the following to the top of the default object in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
	Restart web server
  • Sun ONE Web Server releases prior to 6.0 Service Pack 2:
	Create a file called reject_trace.c and paste the code below into it
	----------------------------- start --------------------------------
	#include "nsapi.h"
	NSAPI_PUBLIC int reject_trace(pblock *pb, Session *sn, Request *rq)
	{
	const char *method;
	method = pblock_findval("method", rq->reqpb);
	if (method && !strcmp(method, "TRACE")) {
	/*
	* Set a bogus content length so the TRACE handler will refuse to
	* handle the request
	*/
param_free(pblock_remove("transfer-encoding",rq->headers));
param_free(pblock_remove("content-length", rq->headers));
pblock_nvinsert("content-length", "-1", rq->headers);
log_error(LOG_WARN, "reject-trace", sn, rq, "rejecting TRACE request");
protocol_status(sn, rq, PROTOCOL_NOT_IMPLEMENTED, NULL);
return REQ_ABORTED;
}
return REQ_NOACTION;
	}
	----------------------- end --------------------------------
	Compile the NSAPI:
http://docs.sun.com/source/816-5686-10/04_mysaf.htm#15053(6.x)
http://docs.sun.com/source/816-5673-10/04_mysaf.htm#15053(4.x)
Sun ONE/iPlanet Web Server 6.0 RTM and 6.0 SP1 and add to the end of the magnus.conf file:
	Init fn="load-modules" shlib="<path to library>/reject_trace.so"funcs="reject_trace"
Then edit the obj.conf file and add the following line after the <Object name="default"> :
	AuthTrans fn="reject_trace"
Sun ONE/iPlanet Web Server 4.1 Service Pack 1 through 12  edit the obj.conf
and add to the end of the Init section:
	Init fn="load-modules" shlib="<path to library>/reject_trace.so"funcs="reject_trace"
Then  after the line <Object name="default"> add the following
	AuthTrans fn="reject_trace"

Note: The above script is provided "AS IS" and it is the users responsibility to verify it has been implemented correctly.


Resolution

This issue may be addressed by disabling HTTP TRACE as shown above in the Relief/Workaround section.

Note: this issue affects all future releases of this product that may be released in the future.
Modification History
26-Aug-2009: Updated Contributing Factors to include Web Server 7.0 and all subsequent releases

Date: 02-MAY-2003
  • Updated Relief/Workaround section

Date: 19-MAY-2003
  • typos in Relief/Workaround section

Date: 13-AUG-2004
  • Updated Contributing Factors and Relief/Workaround sections



Product
Sun Java System Web Server 7.0


























Attachments
This solution has no attachment