| VID |
22152 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Web server supports the TRACE and/or TRACK methods. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing', when used in conjunction with various weaknesses in browsers.
WhiteHat Security, Inc. that specializes in Web Application Security, has discovered a serious security flaw affecting all web server world wide. From months of extensive research and testing, WhiteHat has found a way to exploit a flaw in the way all web servers communicate.
The vulnerability exploits a flaw in the TRACE method which is used to debug web server connections. This is a rarely used portion of the HTTP protocol but is turned on by default in all major web servers. TRACE is part of the HTTP protocol specification, making it somewhat difficult to remove.
Using this vulnerability, an attacker could create a web site that steals User Passwords to access E-commerce sites, Online banks, and Web based e-mail systems from every user that visits that page. This malicious web page could be e-mailed to people to extend the number of people attacked.
* References:
http://www.kb.cert.org/vuls/id/867593
http://archives.neohapsis.com/archives/bugtraq/2003-01/0230.html
http://www.ietf.org/rfc/rfc2616.txt
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
* Platforms Affected:
Any HTTP Server Any version
Any operating system Any version |
| Recommendation |
Disable TRACE and(or) TRACK methods from the affected web server.
For Microsoft IIS:
By using URLScan, these methods will be filtered by default. URLScan is available from http://www.microsoft.com/technet/security/tools/tools/urlscan.asp
Urlscan is a powerful security tool that works in conjunction with the IIS Lockdown Tool ( http://www.microsoft.com/technet/security/tools/tools/locktool.asp ) to give IIS Web site administrators the ability to turn off unneeded features and restrict the kind of HTTP requests that the server will process. By blocking specific HTTP requests, the Urlscan security tool prevents potentially harmful requests from reaching the server and causing damage.
For Apache distribution:
Add 'TraceEnable Off' lines in httpd.conf file.
restart Apache server.
For Apache prior 1.3.34, 2.0.55 distribution:
You can disable it by using the functionality of an Apache module, mod_rewrite. This module provides a rule-based rewriting engine to rewrite requested URLs on the fly. To be able to use the functionality of a module which was built as a Dynamic Shared Object (DSO) you have to place corresponding 'LoadModule' lines in httpd.conf file.
1. Open the [Apache home directory]/conf/httpd.conf file.
2. Locate the line including the text ""LoadModule rewrite_module"". If '#' at the beginning of the line is exists, remove it.
3. Ensure that [module directory] and [module name] in the line are correct. [module directory] is located under [Apache home directory] and its name is usually used as 'modules' or 'libexec'. [module name] is usually named as 'mod_rewrite.so', 'rewrite', or 'ApacheModuleRewrite.dll' on Windows platform.
LoadModule rewrite_module [module directory]/[module name]
4. If ""AddModule rewrite_module.c"" line is required, locate the line including the text ""AddModule rewrite_module.c"" and If '#' at the beginning of the line is exists, remove it.
5. Add the following three lines under the configured lines above:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
6. Revoke httpd daemon:
[Apache home directory]/bin/apachctl restart
For HP-UX:
Follow the HP-UX security bulletins digest, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0309-279 at http://archives.neohapsis.com/archives/hp/2003-q3/0053.html
For Sun ONE/iPlanet Web Server:
Apply the appropriate patch for your system, as listed in Sun Alert Notification 50603 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
For Sun Java System Application Server:
Apply the appropriate patch for your system, as listed in Sun Alert Notification 57670 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57670-1
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
(CVE) |
| Related URL |
9561,11604 (SecurityFocus) |
| Related URL |
11237,11149 (ISS) |
|
