Sun ONE/iPlanet Web Server Enable HTTP TRACE Method by Default

---

CERT Vulnerability VU867593 ... see below:

Impact

CERT Vulnerability VU867593 describes a techique to abuse the HTTP TRACE functionality to gain access to information in HTTP headers. This technique may be used to access sensitive information in HTTP headers using the HTTP TRACE method when making HTTP requests to Sun ONE/iPlanet Web Servers.

This issue is described in the CERT Vulnerability VU#867593 (see http://www.kb.cert.org/vuls/id/867593).

Note 1: HTTP TRACE, which is part of the HTTP 1.1 standard and described in RFC 2616, is enabled by default on Sun ONE/iPlanet Web Servers.

Note 2: Sun ONE/iPlanet Web Servers could be used as an agent to exploit this issue.

Contributing Factors

This issue can occur in the following releases:

• Sun ONE/iPlanet Web Server 4.1 and all Service Packs
• Sun ONE/iPlanet Web Server 6.0 and all Service Packs
• Sun ONE/iPlanet Web Server 6.1 and all Service Packs
• Sun Java System Web Server 7.0 and later
  

For supported architectures and OS versions see: http://wwws.sun.com/software/download/download/5292.html.

Symptoms

There are no predictable symptoms that would show the described issue has been exploited.

Workaround

The described issue is not a defect of the Sun ONE/iPlanet Web Server. However, the following recommendation is provided to avoid this issue.

Disable HTTP TRACE support for SunONE/iPlanet Web Server 4.1 and 6.0 as follows:

• Sun ONE Web Server releases 6.0 Servic Pack 2 and later and 6.1 and 7.0 and later :

	Add the following to the top of the default object in obj.conf:

              <Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
             </Client>
        
     	Restart web server

• Sun ONE Web Server releases prior to 6.0 Service Pack 2:

	Create a file called reject_trace.c and paste the code below into it
	----------------------------- start --------------------------------

     	#include "nsapi.h"

     	NSAPI_PUBLIC int reject_trace(pblock *pb, Session *sn, Request *rq)
     	{
         	const char *method;

         	method = pblock_findval("method", rq->reqpb);
         	if (method && !strcmp(method, "TRACE")) {
             	/*
              	* Set a bogus content length so the TRACE handler will refuse to
              	* handle the request
              	*/
             param_free(pblock_remove("transfer-encoding",rq->headers));
             param_free(pblock_remove("content-length", rq->headers));
             pblock_nvinsert("content-length", "-1", rq->headers);

             log_error(LOG_WARN, "reject-trace", sn, rq, "rejecting TRACE request");

             protocol_status(sn, rq, PROTOCOL_NOT_IMPLEMENTED, NULL);

             return REQ_ABORTED;
         }

        return REQ_NOACTION;
     	}
	----------------------- end --------------------------------

     	Compile the NSAPI:

          http://docs.sun.com/source/816-5686-10/04_mysaf.htm#15053(6.x)
          http://docs.sun.com/source/816-5673-10/04_mysaf.htm#15053(4.x)


Sun ONE/iPlanet Web Server 6.0 RTM and 6.0 SP1 and add to the end of the magnus.conf file:

	Init fn="load-modules" shlib="<path to library>/reject_trace.so"funcs="reject_trace"

Then edit the obj.conf file and add the following line after the <Object name="default"> :

	AuthTrans fn="reject_trace"

Sun ONE/iPlanet Web Server 4.1 Service Pack 1 through 12  edit the obj.conf 
and add to the end of the Init section:

	Init fn="load-modules" shlib="<path to library>/reject_trace.so"funcs="reject_trace"

Then  after the line <Object name="default"> add the following

	AuthTrans fn="reject_trace"

Note: The above script is provided "AS IS" and it is the users responsibility to verify it has been implemented correctly.

Resolution

This issue may be addressed by disabling HTTP TRACE as shown above in the Relief/Workaround section.

Note: this issue affects all future releases of this product that may be released in the future.

Modification History

26-Aug-2009: Updated Contributing Factors to include Web Server 7.0 and all subsequent releases

Date: 02-MAY-2003

• Updated Relief/Workaround section

Date: 19-MAY-2003

• typos in Relief/Workaround section

Date: 13-AUG-2004

• Updated Contributing Factors and Relief/Workaround sections

Attachments

This solution has no attachment