漏洞修复之关闭 TRACE and/or TRACK methods

编程语言 2023-08-06 13:38:04 阅读次数: 0

漏洞描述:

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

The web server has the following HTTP methods enabled: TRACE
Impact
An attacker may use this flaw to trick your legitimate web users to give him their credentials.
Solution:
Solution type: Mitigation
Disable the TRACE and TRACK methods in your web server conguration.
Please see the manual of your web server or the references for more information.
Aected Software/OS
Web servers with enabled TRACE and/or TRACK methods.
Vulnerability Insight
It has been shown that web servers supporting this methods are subject to cross-site-scripting
attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses
in browsers.
Vulnerability Detection Method
Checks if HTTP methods such as TRACE and TRACK are enabled and can be used.
Details: HTTP Debugging Methods (TRACE/TRACK) Enabled
OID:1.3.6.1.4.1.25623.1.0.11213
Version used: 2022-05-12T09:32:01Z
References
cve: CVE-2003-1567
cve: CVE-2004-2320
cve: CVE-2004-2763
cve: CVE-2005-3398
cve: CVE-2006-4683
cve: CVE-2007-3008
cve: CVE-2008-7253
cve: CVE-2009-2823
cve: CVE-2010-0386
cve: CVE-2012-2223
cve: CVE-2014-7883

漏洞解决:根据建议关闭 TRACE and TRACK methods

处理方法:Apache版本大于2.2,在 httpd.conf 末尾添加 TraceEnable off

1、查看Apache版本:httpd -v

[root@ecs-9408 conf]# httpd -v
-bash: httpd: command not found
[root@ecs-9408 conf]# export PATH=/usr/local/apache/bin:$PATH
[root@ecs-9408 conf]# echo $PATH
/usr/local/apache/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[root@ecs-9408 conf]# httpd -v
Server version: Apache/2.4.54 (Unix)
Server built:   Nov  6 2022 20:58:09

2、编辑 httpd.conf

vi /usr/local/apache/conf/httpd.conf

末尾添加如下内容

TraceEnable off

注:路径或者为/etc/httpd/conf/httpd.conf


3、重启Apache

/usr/local/apache/bin/apachectl restart

4、测试

关闭前

telnet xxx.xxx.xxx.xx 8092
TRACE / HTTP/1.0
X-Test:abcde

结果会返回 200 OK

关闭后测试会返回 405 Method Not Allowed

HTTP/1.1 405 Method Not Allowed
Date: Thu, 08 Dec 2022 02:30:05 GMT
Server: Apache
Allow:
Content-Length: 348
Connection: close
Content-Type: text/html; charset=iso-8859-1

猜你喜欢

转载自blog.csdn.net/xch_yang/article/details/128241403
今日推荐
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
GCC 14.1 发布
面壁智能发布 Eurux-8x22B 开源大模型 —— 堪称「理科状元」
开源日报 | 谷歌扶持鸿蒙上位;开源Rabbit R1;Docker加持的安卓手机;微软的焦虑和野心;海尔电器把开放平台关了
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
周排行
Java自定义时间格式
同步整形电路
在开发中最最最常用的字符串的属性大集合
Linux 查看端口占用并杀掉
Java基础四:ArrayList
多线程之死锁就是这么简单
mysql 基础命令集
awk 命令详解
Centos6.3编译安装nginx+php步骤
OCR (Optical Character Recognition,光学字符识别)
每日归档
更多
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022