Thursday, 22 August 2013

IBM HTTP Server - Disabling the HTTP TRACE method

One of my colleagues contacted me yesterday asking whether it was possible to disable the HTTP TRACE method in IBM HTTP Server.

He referenced me to this page in the IHS Information Center: -

Disabling the HTTP TRACE method


which says, in part: -

The HTTP TRACE request method causes the data received by IBM HTTP Server from the client to be sent back to the client, as in the following example:

$ telnet 127.0.0.1 8080
Trying...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
C: d

HTTP/1.1 200 OK
Date: Mon, 04 Oct 2004 14:07:59 GMT
Server: IBM_HTTP_SERVER
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
A: b
C: d
Host: foo

Connection closed.

The TRACE capability could be used by vulnerable or malicious applications to trick a web browser into issuing a TRACE request against an arbitrary site and then send the response to the TRACE to a third party using web browser features.

He didn't have an IHS server with which to play, so I tested the hypothesis on my own Red Hat Enterprise Linux box, using IHS 7.0.0.0: -

With TRACE enabled in HTTPD.CONF ( default state )

$ telnet rhel6.uk.ibm.com 8080

Trying 127.0.0.1...
Connected to rhel6.uk.ibm.com.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
C: d

HTTP/1.1 200 OK
Date: Wed, 21 Aug 2013 10:17:58 GMT
Server: IBM_HTTP_Server
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: foo
A: b
C: d

Connection closed by foreign host.

With TRACE disabled in HTTPD.CONF

I added: -

LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 

to httpd.conf and restarted IHS ( /opt/IBM/HTTPServer/lbin/apachectl start )

$ telnet rhel6.uk.ibm.com 8080

Trying 127.0.0.1...
Connected to rhel6.uk.ibm.com.
Escape character is '^]'.
TRACE /HTTP/1.0
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /HTTP/1.0
on this server.</p>
<hr>
<address>IBM_HTTP_Server at localhost Port 8080</address>
</body></html>
Connection closed by foreign host.

which looks to be a good sign.

The access.log file also confirms the behaviour: -

127.0.0.1 - - [21/Aug/2013:11:17:58 +0100] "TRACE / HTTP/1.0" 200 43 <- This is what I see BEFORE I changed HTTPD.CONF and restarted IHS
127.0.0.1 - - [21/Aug/2013:11:32:07 +0100] "TRACE /HTTP/1.0" 403 273 <- This is what I see AFTER changing HTTPD.CONF and restarting IHS

We also "spoke" about the the HTTP TRACK method. Again, the Information Center article says this: -

The HTTP TRACK method

The TRACK method is a type of request supported by Microsoft web servers. It is not RFC compliant and is not supported directly by IBM HTTP Server. The method may be utilized as part of a cross-site scripting attack. See Vulnerability Note VU#288308 for more information.

Even though IBM HTTP Server does not support the TRACK method natively, it is possible for plug-in modules to provide support for it. To disable this capability for plug-in modules, in addition to disabling the TRACE method, add these two additional directives after the existing RewriteCond and RewriteRule directives which are used to disable TRACE:

RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]

Here is a full example showing the directives to disable both TRACE and TRACK:

...
# disable TRACE and TRACK in the main scope of httpd.conf
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F] 
...
<VirtualHost www.example.com>
...
# disable TRACE and TRACK in the www.example.com virtual host
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F] 
</VirtualHost>

Note that for IBM HTTP Server 7.0 and later, the only method to disable TRACK is via mod_rewrite. Since IHS doesn't do anything with TRACK, there is no directive to "disable" it.

So, for completeness, here's HTTPD.CONF now: -

<snip>
LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
</snip>

Sweet :-)

Finally, I also recommended that my colleague review ( and share ) this excellent developerWorks article by Martin Lansche and Keys Botzum: -


Summary:  Security consists of more than just some firewalls at the edge of your network protecting you from the outside. It is a difficult and complex set of actions and procedures that strive to strengthen your systems as much as is appropriate. This article discusses many aspects of security in general, including the IBM® WebSphere® Application Server security architecture, and discusses hardening a WebSphere Application Server environment. This updated article has been significantly revised for WebSphere Application Server V7, 8.0, and 8.5, and has been edited to focus solely on hardening. Part 1 of 2. This content is part of the IBM WebSphere Developer Technical Journal.



No comments: