一、漏洞描述
漏洞描述:
远程web服务器支持跟踪和/或跟踪方法。HTTP TRACE要求Web服务器将请求的内容回送给客户端。完整请求(包括HTTP标头,可包括cookie或身份验证数据等敏感信息)将在TRACE响应的实体主体中返回。该请求主要由开发人员用于测试和调试HTTP应用程序,并且在大多数Web服务器软件中默认可用。
修复建议:
禁用这些HTTP方法。
风险级别:中
CVE-2003-1567
CVE-2004-2320
CVE-2010-0386
二、处理
1、本次漏洞为现场环境使用Doris的http模块导致的,可执行如下验证:
curl -v -X TRACE -I http://localhost:8030
nmap -n -p8030 -sT --script http-methods,http-trace be_ip
cat /proc/BE_pid/status //会看到TracerPid不为0,其值为附加它的父进程pid
#Linux下可直接使用telnet来测试是否有trace回显
curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}' //当结果为200时,存在风险;正常应该返回405或501
2、Doris部署BE后端时,会使用python的SimpleHTTPServer(生产环境不建议使用,它只实现了简单的安全性)或http.server模块(不建议生产)来快速实现web服务。以下是一个http-server示例:
# -*- coding: UTF-8 -*-
import time
import os
import sys
import urllib
from BaseHTTPServer import (HTTPServer, BaseHTTPRequestHandler)
def close_std_fd():
f = open(os.devnull, 'w')
sys.stdin = f
sys.stdout = f
sys.stderr = f
def daemon(func):
pid = os.fork()
if pid > 0:
return
os.setsid()
pid = os.fork()
if pid > 0:
return
os.chdir('/')
os.umask(0)
close_std_fd()
func()
class MyHandler(BaseHTTPRequestHandler):
def do_response(self):
print(self.request)
print("request path is %s" % self.path) #
print("request from ip is %s" % self.client_address[0])
url_path,url_pargs = urllib.splitquery(self.path)
print("request url path is %s" %url_path)
print("request pargs is %s" %url_pargs)
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
self.wfile.write("<h1>Device Static Content</h1>")
return
def do_GET(self):
self.do_response()
def do_POST(self):
datas = self.rfile.read(int(self.headers['content-length']))
print("post data is %s" %datas)
print("post data type is %s" %type(datas))
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
self.wfile.write("<h1>Device Static Content</h1>")
def run_server():
server_address = ("", 99)
server = HTTPServer(server_address, MyHandler)
sa = server.socket.getsockname()
print("sa is below")
print(sa)
print("Serving on %s using port %s ..." %(sa[0], sa[1]))
server.serve_forever()
if __name__ == '__main__':
if "-d" in sys.argv:
daemon(run_server)
else:
run_server()
官方示例:
import http.server
import socketserver
PORT = 8000
Handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", PORT), Handler) as httpd:
print("serving at port", PORT)
httpd.serve_forever()
def run(server_class=HTTPServer, handler_class=BaseHTTPRequestHandler):
server_address = ('', 8000)
httpd = server_class(server_address, handler_class)
httpd.serve_forever()
未找到处理办法,更多参看python.org述;
3、基于上,更换doris的web为http或nginx来实现。在http和nginx上实现禁用trace。
注:欢迎成功实践的大佬、程序员指导,如何修复
三、附录
1)HTTP服务禁用TRACE跟踪:
vim /etc/httpd/conf/httpd.conf //在文件最后一行加上
TraceEnable off
vim host.conf //也加上以上的指令,重启apache
/etc/init.d/httpd restart
#另外有经验表明,借助 mod_rewrite 模块可禁止 HTTP Trace请求。mod_rewrite.so模块默认位置在/usr/local/apache目录下;在httpd.conf配置文件中,LoadModule rewrite_module“/usr/local/apache/modules/mod_rewrite.so”可完成模块加载;然后我们可在httpd.conf文件或在各虚拟主机的配置文件里添加如下语句:
RewriteEngine on
RewriteCond %{
REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
#禁用Options方法:
RewriteEngine On
RewriteCond %{
REQUEST_METHOD} ^(OPTIONS)
RewriteRule .* - [F]
#同时禁用Trace方法和Options方法
RewriteEngine On
RewriteCond %{
REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
2)Nginx禁用:PATCH|TRACE
if ($request_method ~ ^(PATCH|TRACE)$) {
return 405;
}
http{
server{
if ($request_method ~ ^(PATCH|TRACE)$) {
return 405;
}
location / {
proxy_pass http://fedser32.stack.com:8080;
}
location ~ \.(gif|jpg|png)$ {
root /data1;
}
}
server {
if ($request_method ~ ^(PATCH|TRACE)$) {
return 405;
}
listen 8080;
root /data1/up1;
location / {
}
}
}
3)IIS里禁用:
IIS7及更高版本:
appcmd.exe set config /section:requestfiltering /+verbs.[verb=‘TRACE’,allowed=‘false’]
IIS6:
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] “EnableTraceMethod”=dword:00000000