-
Título
Security Issue: HTTP TRACE Method enabled -
Descripción
The customer has reported a vulnerability analysis with the HTTP Service running on port 9443 and port 80 on the server running the Management Console for Unix (MCU) - OPTIONS Method enabled and HTTP TRACE Method enabled.
QAS Version 4.0.3.55
MCU 2.0.0
IIS 7 -
Resolución
Workaround:
Edit the file webdefaults.xml located in the <install_dir>\etc\webdefaults.xml
Add this just above the last ending tag where the ending tag is </web-app> as supplied in the example below:
<!-- add security constraint to disable the http methods (GET, POST, HEAD, OPTIONS, TRACE ) -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable TRACE</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable OPTIONS</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app> -
Solicitud de cambio
25631