Disable Lotus Domino/Notes HTTP TRACE / TRACK Methods
HTTP TRACE / TRACK Methods
Synopsis : Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.
In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
“Cross-Site Tracing”, when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.
See also :
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
Solution : Disable these methods.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output : Nessus sent the following TRACE request :
—————————— snip ——————————
TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
—————————— snip ——————————
and received the following response from the remote server :
—————————— snip ——————————
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Fri, 11 Sep 2009 17:13:13 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Expires: Fri, 11 Sep 2009 17:13:13 GMT
Content-Type: message/http
Content-Length: 294
TRACE /Nessus2072953470.html HTTP/1.1
Connection: Close
Host: 192.168.1.61
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
—————————— snip ——————————
CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485
Nessus ID : 11213
How to Disable HTTP TRACE/TRACK for IBM Lotus Domino Server
Option 1:
If you are using Internet Sites, you have to edit Web Site document.
1. Go to Web Site document – Configuration tab
2. Un-check TRACE and OPTIONS
Option 2:
If you are using the Web Configuration view instead of Internet Site, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name.
Append the command below in to Notes.ini for LotusDomino Server
HTTPDisableMethods=TRACE
Restart HTTP Service:
Restart your HTTP service for the setting to take effect by the running the command below in Domino console:
Tell http restart
Option 3:
Run the following command from the Domino Console:
set configuration HTTPDisableMethods=TRACE
tell http restart |
Remark: Do not disable CONNECT and OPTIONS method because it will be used by Lotus Traveler
Resouce and Reference: