RE: Disable HTTP TRACE support
Rafael Harduim
sem utilizar o URL Scan no IIS 5?
Eu não posso usar o IIS 5.
Grato,
"Guilherme Carnevale [MVP]" wrote:
> 1) Baixe o URLScan e instale no seu servidor WEB.
> http://www.microsoft.com/technet/security/tools/urlscan.mspx
>
> Só isto, apos o URLScan instalado ele vai aceitar GET,POST .. e não vai
> aceitar mais o "verbo" TRACE.
> Caso queira customizar.
> C:\winnt\system32\inetsrv\urlscan\urlscan.ini
>
> Para IIS6 (windows 2003) tem chave de registro, mas como você esta com IIS5
> apenas assim :)
> No IIS6 vem desabilitado por padrão, para habilitar
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\EnableTraceMethod
>
> :-)
> --
> Guilherme Carnevale
> MVP - Windows Shell/User
>
>
> "Josinaldo" escreveu:
>
> > Ola amigos!
> >
> > Eu rodei o Nessus em um servidor AD windows 2000 Server e ele aponta essa
> > vulnerabilidade abaixo:
> >
> > http (80/tcp) Info Synopsis :Debugging functions are enabled on the remote
> > HTTP server.
> >
> > Description :
> > The remote webserver supports the TRACE and/or TRACK methods.
> > TRACE and TRACK are HTTP methods which are used to debug web server
> > connections.
> > It has been shown that servers supporting this method are subject to
> > cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing",
> > when used in conjunction with various weaknesses in browsers.
> > An attacker may use this flaw to trick your legitimate web users to give him
> > their credentials.
> >
> > Solution :
> > Disable these methods.
> >
> > See also :
> > http://www.kb.cert.org/vuls/id/867593
> >
> > Risk factor :
> > Low / CVSS Base Score : 2
> > (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
> >
> > Plugin output :
> >
> > Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit
> > only the methods needed to meet site requirements and policy.
> > CVE : CVE-2004-2320
> > BID : 9506, 9561, 11604
> >
> >
> > Eu nao consegui entender com desabilitar isso. Algum pode me dar uma ajuda?
> >
> > Atenciosamente,
> > Josinaldo
Rafael Harduim
muito bem como fazer.
Onde eu devo fazer essas configurações?
Disable HTTP TRACE support
Based on site requirements and policy, consider disabling HTTP TRACE support
in web servers. As a best practice, we recommend limiting input
("whitelisting") to the minimum set of methods required for proper operation
of a given application.
Apache HTTP Server
To disable HTTP TRACE support, set TraceEnable Off.
Alternatively, use the Apache mod_rewrite module to deny HTTP TRACE requests
or to permit only the methods needed to meet site requirements and policy.
TRACE requests can be disabled with the following mod_rewrite syntax:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Disabling HTTP TRACE with the TraceEnable directive is simpler, more direct,
and requires less overhead than using mod_rewrite.
Muito obrigado