|
Note: This is an archival copy of Security Sun Alert 200171 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000125.1. |
Category Security Release Phase Resolved 4808654 Date of Resolved Release 11-FEB-2003 CERT Vulnerability VU867593 ... see below: Impact CERT Vulnerability VU867593 describes a techique to abuse the HTTP TRACE functionality to gain access to information in HTTP headers. This technique may be used to access sensitive information in HTTP headers using the HTTP TRACE method when making HTTP requests to Sun ONE/iPlanet Web Servers. This issue is described in the CERT Vulnerability VU#867593 (see http://www.kb.cert.org/vuls/id/867593). Note 1: HTTP TRACE, which is part of the HTTP 1.1 standard and described in RFC 2616, is enabled by default on Sun ONE/iPlanet Web Servers. Note 2: Sun ONE/iPlanet Web Servers could be used as an agent to exploit this issue. Contributing Factors This issue can occur in the following releases:
For supported architectures and OS versions see: http://wwws.sun.com/software/download/download/5292.html. Symptoms There are no predictable symptoms that would show the described issue has been exploited.
Workaround The described issue is not a defect of the Sun ONE/iPlanet Web Server. However, the following recommendation is provided to avoid this issue. Disable HTTP TRACE support for SunONE/iPlanet Web Server 4.1 and 6.0 as follows:
Add the following to the top of the default object in obj.conf: <Client method="TRACE"> AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501" </Client> Restart web server
Create a file called reject_trace.c and paste the code below into it
----------------------------- start --------------------------------
#include "nsapi.h"
NSAPI_PUBLIC int reject_trace(pblock *pb, Session *sn, Request *rq)
{
const char *method;
method = pblock_findval("method", rq->reqpb);
if (method && !strcmp(method, "TRACE")) {
/*
* Set a bogus content length so the TRACE handler will refuse to
* handle the request
*/
param_free(pblock_remove("transfer-encoding",rq->headers));
param_free(pblock_remove("content-length", rq->headers));
pblock_nvinsert("content-length", "-1", rq->headers);
log_error(LOG_WARN, "reject-trace", sn, rq, "rejecting TRACE request");
protocol_status(sn, rq, PROTOCOL_NOT_IMPLEMENTED, NULL);
return REQ_ABORTED;
}
return REQ_NOACTION;
}
----------------------- end --------------------------------
Compile the NSAPI:
http://docs.sun.com/source/816-5686-10/04_mysaf.htm#15053(6.x)
http://docs.sun.com/source/816-5673-10/04_mysaf.htm#15053(4.x)
Sun ONE/iPlanet Web Server 6.0 RTM and 6.0 SP1 and add to the end of the magnus.conf file:
Init fn="load-modules" shlib="<path to library>/reject_trace.so"funcs="reject_trace"
Then edit the obj.conf file and add the following line after the <Object name="default"> :
AuthTrans fn="reject_trace"
Sun ONE/iPlanet Web Server 4.1 Service Pack 1 through 12 edit the obj.conf
and add to the end of the Init section:
Init fn="load-modules" shlib="<path to library>/reject_trace.so"funcs="reject_trace"
Then after the line <Object name="default"> add the following
AuthTrans fn="reject_trace"
Note: The above script is provided "AS IS" and it is the users responsibility to verify it has been implemented correctly.
Resolution This issue may be addressed by disabling HTTP TRACE as shown above in the Relief/Workaround section. Note: this issue affects all future releases of this product that may be released in the future. Modification History 26-Aug-2009: Updated Contributing Factors to include Web Server 7.0 and all subsequent releases Date: 02-MAY-2003
Date: 19-MAY-2003
Date: 13-AUG-2004
Product Sun Java System Web Server 7.0 Attachments This solution has no attachment | |||||||||||||||
|
|