Disable HTTP tracking/tracing

1. Vulnerability description

Vulnerability description:

The remote web server supports tracing and/or tracing methods. HTTP TRACE requires the web server to send the requested content back to the client. The full request (including HTTP headers, which can include sensitive information like cookies or authentication data) will be returned in the entity body of the TRACE response. This request is primarily used by developers to test and debug HTTP applications and is available by default in most web server software.
Fix suggestion:
Disable these HTTP methods.

Risk Level: Medium

CVE-2003-1567
CVE-2004-2320
CVE-2010-0386

2. Processing

1. This vulnerability is caused by the use of Doris' http module in the live environment, and the following verification can be performed:

curl -v -X TRACE -I http://localhost:8030
nmap -n -p8030 -sT --script http-methods,http-trace be_ip
cat /proc/BE_pid/status  //会看到TracerPid不为0，其值为附加它的父进程pid
#Linux下可直接使用telnet来测试是否有trace回显
curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}'  //当结果为200时，存在风险；正常应该返回405或501

2. When Doris deploys the BE backend, it will use Python's SimpleHTTPServer (not recommended for production environments, it only implements simple security) or the http.server module (not recommended for production) to quickly implement web services. The following is an example of http-server:

# -*- coding: UTF-8 -*-
import time
import os
import sys
import urllib
from BaseHTTPServer import (HTTPServer, BaseHTTPRequestHandler)

def close_std_fd():
    f = open(os.devnull, 'w')
    sys.stdin = f
    sys.stdout = f
    sys.stderr = f

def daemon(func):
    pid = os.fork()
    if pid > 0:
        return
    os.setsid()
    pid = os.fork()
    if pid > 0:
        return
    os.chdir('/')
    os.umask(0)
    close_std_fd()
    func()



class MyHandler(BaseHTTPRequestHandler):
        def do_response(self):
                print(self.request)
                print("request path is %s" % self.path)   #
                print("request from ip  is %s" % self.client_address[0])
                url_path,url_pargs = urllib.splitquery(self.path)
                print("request url path is %s" %url_path) 
                print("request pargs is %s" %url_pargs)
                self.send_response(200)
                self.send_header('Content-type','text/html')
                self.end_headers()
                self.wfile.write("<h1>Device Static Content</h1>")
                return
        def do_GET(self):
                self.do_response()
        def do_POST(self):
                datas = self.rfile.read(int(self.headers['content-length']))
                print("post data is %s" %datas)
                print("post data type is %s" %type(datas))
                self.send_response(200)
                self.send_header('Content-type','text/html')
                self.end_headers()
                self.wfile.write("<h1>Device Static Content</h1>")


def run_server():
    server_address = ("", 99)
    server = HTTPServer(server_address, MyHandler)
    sa = server.socket.getsockname()
    print("sa is below")
    print(sa)
    print("Serving  on %s using port %s ..." %(sa[0], sa[1]))
    server.serve_forever()

if __name__ == '__main__':
    if "-d" in sys.argv:
        daemon(run_server)
    else:
        run_server()

Official example:

import http.server
import socketserver

PORT = 8000

Handler = http.server.SimpleHTTPRequestHandler

with socketserver.TCPServer(("", PORT), Handler) as httpd:
    print("serving at port", PORT)
    httpd.serve_forever()

def run(server_class=HTTPServer, handler_class=BaseHTTPRequestHandler):
    server_address = ('', 8000)
    httpd = server_class(server_address, handler_class)
    httpd.serve_forever()

No solution was found, please refer to python.org for more information ;

3. Based on the above, replace the web of doris with http or nginx. Implement disable trace on http and nginx.

Note: Welcome to the guidance of successful practice leaders and programmers, how to repair

3. Appendix

1) HTTP service disable TRACE tracing:

vim /etc/httpd/conf/httpd.conf   //在文件最后一行加上
TraceEnable off
vim host.conf //也加上以上的指令,重启apache
/etc/init.d/httpd restart

#另外有经验表明，借助 mod_rewrite 模块可禁止 HTTP Trace请求。mod_rewrite.so模块默认位置在/usr/local/apache目录下；在httpd.conf配置文件中，LoadModule rewrite_module“/usr/local/apache/modules/mod_rewrite.so”可完成模块加载；然后我们可在httpd.conf文件或在各虚拟主机的配置文件里添加如下语句：

RewriteEngine on
RewriteCond %{
    
    REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
#禁用Options方法：
RewriteEngine On
RewriteCond %{
    
    REQUEST_METHOD} ^(OPTIONS)
RewriteRule .* - [F]
#同时禁用Trace方法和Options方法
RewriteEngine On
RewriteCond %{
    
    REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]

2) Nginx disabled: PATCH|TRACE

if ($request_method ~ ^(PATCH|TRACE)$) {
    
     
			return 405; 
		}

http{
    
    
	server{
    
    
		if ($request_method ~ ^(PATCH|TRACE)$) {
    
     
			return 405; 
		}	
		location / {
    
    
			proxy_pass http://fedser32.stack.com:8080;
		}

		location ~ \.(gif|jpg|png)$ {
    
    
			root /data1;
		}

	}

	server {
    
    
                if ($request_method ~ ^(PATCH|TRACE)$) {
    
     
                        return 405; 
                }
    		listen 8080;
    		root /data1/up1;

    		location / {
    
    
    		}
	}
}

3) Disable in IIS:

IIS7 and above:

appcmd.exe set config /section:requestfiltering /+verbs.[verb=‘TRACE’,allowed=‘false’]

IIS6：

REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] “EnableTraceMethod”=dword:00000000