Secure Apache TRACE Vulnerabilities

十二月 11, 2007 at 9:37 下午 by · Filed under freebsd, linux, 操作系统

  1. telnet www.example.com 80

After the response

  1. Trying 12.34.56.78...
  2.  Connected to www.example.com.
  3.  Escape character is '^]'.

enter these commands:

  1. TRACE /index.html HTTP/1.1
  2.  Host: www.example.com
  3.  [CR]
  4.  [CR] = Carriage Return, for a blank line to signify the end of the headers being sent

If your server is “vulnerable” you will get a response back similar to this one (status 200):

  1. HTTP/1.1 200 OK
  2.  Date: Sat, 17 Dec 2005 23:51:29 GMT
  3.  Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
  4.  Connection: close
  5.  Transfer-Encoding: chunked
  6.  Content-Type: message/http
  7.  30
  8.  TRACE /index.html HTTP/1.1
  9.  Host: www.example.com
  10.  0
  11.  Connection closed by foreign host.

This is “bad” because an attacker could get cookie or other information returned by using a carefully crafted request.

To protect your server, you must login as root and add this block of code to every VirtualHost container in /etc/httpd/conf/httpd.conf and /etc/httpd/conf/vhosts/site[1-n]:

  1. # Block TRACE/TRACK XSS vector
  2.  RewriteEngine On
  3.  RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
  4.  RewriteRule .* - [F]

Then restart Apache

  1. /etc/rc.d/init.d/httpd reload

Once you do that, you can perform the same test and the reply will look different:

  1. HTTP/1.1 403 Forbidden
  2.  Date: Sat, 17 Dec 2005 00:01:06 GMT
  3.  Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
  4.  Last-Modified: Fri, 11 Feb 2005 05:30:57 GMT
  5.  ETag: "601d904-4dd-420c4311"
  6.  Accept-Ranges: bytes
  7.  Content-Length: 1245
  8.  Content-Type: text/html
  9.  
  10.  ... HTML content snipped ...

RSS feed for comments on this post · TrackBack URL

发表评论

You must be logged in to post a comment.