Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

【主机漏洞】HTTP TRACE / TRACK Methods Allowed

wpadmin~July 27, 2018 /InfoSec

HTTP TRACE / TRACK Methods Allowed

参考资料

https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_http_trace_method_xss_vulnerability
https://www.tenable.com/plugins/nessus/11213
http://www.alphadevx.com/a/383-Disabling-the-TRACE-method-in-Apache2
https://community.pivotal.io/s/article/How-to-disable-HTTP-TRACE-for-Apache-httpd-Pivotal-Web-Server-and-How-to-test-HTTP-TRACE

影响说明

TRACE and TRACK are HTTP methods that are used to debug web server connections.
TRACE 和 TRACK方法是 web 服务器连接的调试方法.
Servers supporting this method are subject to cross-site-scripting attacks when used in conjunction with various weaknesses in browser.
这些 HTTP 方法被开启时可能导致服务器容易遭受 (与其他多种浏览器漏洞配合的) XSS 攻击。

检测方法

基于 Nmap 的方式

nmap -n -p80 -sT --script http-methods,http-trace 192.168.1.1

使用 curl, 如果该问题已修复,服务器会返回 405 Method Not Allowed 的响应

curl -i -X TRACE http://192.168.1.1/

解决方案

To disable these methods, add the following lines for each virtual
host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request : 

------------------------------ snip ------------------------------
TRACE /Nessus962237332.html HTTP/1.1
Connection: Close
Host: 192.168.27.59
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 01 Aug 2018 06:57:59 GMT
Server: Apache/2.4.33 (Win64) PHP/5.6.35
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus962237332.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.27.59
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

方案一 httpd

httpd.conf 的末尾添加如下内容,然后重启 Apache2 服务。

TraceEnable off

方案二 虚拟主机

https://blog.csdn.net/andy1219111/article/details/7718553

http://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

首先需要保证 Apache2 开启 rewrite_module 模块

# httpd.conf
LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"

虚拟主机用户可以在 .htaccess 文件中添加如下代码过滤TRACE请求.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Leave a Reply

Your email address will not be published. Required fields are marked *