Categories
Lotus Domino

Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods

HTTP TRACE / TRACK Methods
Synopsis : Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials. 

Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods

HTTP TRACE / TRACK Methods
Synopsis : Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
“Cross-Site Tracing”, when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

 

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution : Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output : Nessus sent the following TRACE request :

—————————— snip ——————————
TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

—————————— snip ——————————

and received the following response from the remote server :

—————————— snip ——————————
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Fri, 11 Sep 2009 17:13:13 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 11 Sep 2009 17:13:13 GMT
Content-Type: message/http
Content-Length: 294

TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
—————————— snip ——————————

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485

Nessus ID : 11213

How to Disable HTTP TRACE/TRACK for IBM Lotus Domino Server

Option 1:

If you are using Internet Sites, you have to edit Web Site document.

1. Go to Web Site document – Configuration tab

2. Un-check TRACE and OPTIONS

Option 2:

If you are using the Web Configuration view instead of Internet Site, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name. 

Append the command below in to Notes.ini for LotusDomino Server

HTTPDisableMethods=TRACE

Restart HTTP Service:

Restart your HTTP service for the setting to take effect by the running the command below in Domino console:

Tell http restart

Option 3:

Run the following command from the Domino Console:

set configuration HTTPDisableMethods=TRACE

tell http restart

Remark: Do not disable CONNECT and OPTIONS method because it will be used by Lotus Traveler

Resouce and Reference: 

http://www-01.ibm.com/support/docview.wss?uid=swg21201202