Categories
Vulnerability

How to test Heartbleed Bug

What is SSL Heartbleed Bug in simple English?

Basically it is a program bug/vulnerability in the SSL/TLS encryption that is widely use by most of the Internet applications such as website, VPN, email, etc. This allow the attacker to read/steal the your communication information. For more detail, you can check out http://heartbleed.com/ and http://www.kb.cert.org/vuls/id/720951

SSL heartbleed bug

How to test Heartbleed Bug

Below are some of the useful links that allow you to check whether your HTTPS website is vulnerable to Heartbleed bug

Qualys SSL Labs: https://www.ssllabs.com/ssltest/

Heartbleed test: http://filippo.io/Heartbleed/

Critical Watch Heartbleed Tester: http://heartbleed.criticalwatch.com/

LastPass Heartbleed bug test: https://lastpass.com/heartbleed/

Heartbleed checker: http://possible.lv/tools/hb/

 

Categories
Lotus Domino

Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods

Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods

HTTP TRACE / TRACK Methods
Synopsis : Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
“Cross-Site Tracing”, when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

 

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution : Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output : Nessus sent the following TRACE request :

—————————— snip ——————————
TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

—————————— snip ——————————

and received the following response from the remote server :

—————————— snip ——————————
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Fri, 11 Sep 2009 17:13:13 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 11 Sep 2009 17:13:13 GMT
Content-Type: message/http
Content-Length: 294

TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
—————————— snip ——————————

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485

Nessus ID : 11213

How to Disable HTTP TRACE/TRACK for IBM Lotus Domino Server

Option 1:

If you are using Internet Sites, you have to edit Web Site document.

1. Go to Web Site document – Configuration tab

2. Un-check TRACE and OPTIONS

Option 2:

If you are using the Web Configuration view instead of Internet Site, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name. 

Append the command below in to Notes.ini for LotusDomino Server

HTTPDisableMethods=TRACE

Restart HTTP Service:

Restart your HTTP service for the setting to take effect by the running the command below in Domino console:

Tell http restart

Option 3:

Run the following command from the Domino Console:

set configuration HTTPDisableMethods=TRACE

tell http restart

Remark: Do not disable CONNECT and OPTIONS method because it will be used by Lotus Traveler

Resouce and Reference: 

http://www-01.ibm.com/support/docview.wss?uid=swg21201202

Categories
Apache

Disable HTTP TRACE / TRACK Methods for Oracle-HTTP-Server (Apache)

Disable HTTP TRACE / TRACK Methods for Oracle-HTTP-Server (Apache)

HTTP TRACE / TRACK Methods
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
“Cross-Site Tracing”, when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Nessus sent the following TRACE request :

—————————— snip ——————————
TRACE /Nessus1594872495.html HTTP/1.1
Connection: Close
Host: 192.168.1.1
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

—————————— snip ——————————

and received the following response from the remote server :

—————————— snip ——————————
HTTP/1.1 200 OK
Date: Fri, 04 Sep 2009 06:27:29 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

TRACE /Nessus1594872495.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Language: en
Connection: Close
Host: 10.118.1.39
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

—————————— snip ——————————

CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485


How to disable HTTP TRACE / TRACK Methods

1. Modify C:\oracle\10gappr2\Apache\Apache\conf\httpd.conf (your installation location might be different) with the follow configuration.

### Add to under “Dynamic Shared Object (DSO) Support” ###

LoadModule rewrite_module modules/ApacheModuleRewrite.dll
AddModule mod_rewrite.c

### Append to end of the file ###

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* – [F]

2. Restart the Oracle10GAPPR2ProcessManager service or server