转自:"远端www服务支持TRACE请求"验证及修复(apache,Jetty,Tomcat)
在服务器漏扫中经常遇到"远端www服务支持TRACE请求"漏洞,绿盟扫描器所提供修复建议有不适用的情况。对已经处理过的不同应用禁用TRACE请求做一总结记录。
首先漏洞验证:
模拟trace请求,假设报漏洞的端口是8081:
curl -v -X TRACE -I localhost:8081
如果回显为:
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: message/http
Content-Type: message/http
则该端口服务支持trace请求,漏洞存在。
如果回显为:
< HTTP/1.1 403 Forbidden
< Content-Type: text/html; charset=iso-8859-1
或者回显为
< HTTP/1.1 405 Method Not Allowed
< Content-Type: text/html; charset=iso-8859-1
则该漏洞不存在。
漏洞修复:
1.对于apache:
对于2.0.55以上版本的apache服务器,
在httpd.conf尾部添加如下指令后重启apache即可:
TraceEnable off
其它版本的Apache服务器可编辑httpd.conf文件:
激活rewrite模块(去掉符号 # ):
LoadModule rewrite_module modules/mod_rewrite.so
在各虚拟主机的配置文件里添加如下语句:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
注:可以在httpd.conf里搜索VirtualHost确定虚拟主机的配置文件。
2.对于非内嵌tomcat:
直接修改tomcat根目录conf目录下的web.xml,
在文件末尾(之前)添加如下代码:
<security-constraint>
<web-resource-collection>
<url-pattern>/*url-pattern>
<http-method>PUThttp-method>
<http-method>DELETEhttp-method>
<http-method>HEADhttp-method>
<http-method>OPTIONShttp-method>
<http-method>TRACEhttp-method>
web-resource-collection>
<auth-constraint>
auth-constraint>
security-constraint>
<login-config>
<auth-method>BASICauth-method>
login-config>
注:在tomcat的在server.xml中先允许TRACE请求,再在web.xml中禁用TRACE,以此禁用TRACE请求.
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true"
redirectPort="8443" />
3.对于spring boot内嵌tomcat:
配置TomcatConfig.java
import org.apache.catalina.Context;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class TomcatConfig {
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
@Override
public void customize(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
securityConstraint .addCollection(collection);
context.addConstraint(securityConstraint );
}
});
//禁用TRACE请求
tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcatServletContainerFactory;
}
}
4.对于非内嵌式Jetty:
在jetty.xml中增加配置:
<security-constraint>
<web-resource-collection>
<web-resource-name>NoTraceweb-resource-name>
<url-pattern>/*url-pattern>
<http-method>TRACEhttp-method>
web-resource-collection>
<auth-constraint>auth-constraint>
security-constraint>
5.对于Springboot内嵌式Jetty:
由于这种情况没有实际操作过,代码参考其他博主。采用拦截器来过滤所有的trace请求->启动类增加配置来实现,或者和内嵌式tomcat一样直接添加Jetty配置类来实现也可以。