If you run a nessus scan against a Domino HTTP Server you might get the following result:

Scanner host: "nessus"
Imported from: "/opt/nessus/var/nessus/users/nessus.1/reports/xxxxxxxxxxxxxxxxxxxxxx.nessus"
Scan report created: 2012-06-05 22:06:09 Scan report imported: 2012-06-06 06:25:46 Report name: PeriodicScan[xxxxxxxxxxx]:Groupware-Server (scheduled)
Hostname: "Domino1" (xxx.xxx.xxx.xxx)
Plugin name: "HTTP TRACE / TRACK Methods Allowed"
Plugin family: "Web Servers"
Service: "www", Protocol "tcp", Port "80"
Severity: Medium
Risk factor: Medium

Fixing this "issue" (= disable the trace / track method) is quite easy:

The TRACE and TRACK are HTTP methods are used to debug web server connections. It has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker might use this flaw to trick your legitimate web users to give him their credentials. So the best praxis is to disable that function if not needed.

 

Solution 1 (Internet Sites):

If you are using Internet Sites, you control the allowed methods in the Web Site document. To verify or change the settings, go to the Web Site document - Configuration tab, and review the Allowed Methods section (The method CONNECT is rarely used and not allowed; therefore it is not listed). To disable the TRACE option remove the check mark for the entry and save the document. After that you need to restart the http task via "tell http restart".

 

Solution 2 (Web Configuration view):

If you are using the Web Configurations view instead of Internet Sites, you can disable HTTP methods by using the notes.ini variable HTTPDisableMethods with a value of the method name. Separate multiple method names using a comma. For example, to disable the TRACE method, you would enter HTTPDisableMethods=TRACE. To disable TRACE and CONNECT, you need to set the notes.ini value: HTTPDisableMethods=TRACE,CONNECT (e.g. via "set config HTTPDisableMethods=TRACE,CONNECT"). After that you need to restart the http task via "tell http restart".

 

Warning:

Do NOT disable the "CONNECT" method on the server which is hosting the IBM Lotus Traveler component. If you disable the option here, ALL apple devices couldn´t connect.

 

You can find some more infos here:

How to enable or disable HTTP methods

Leave your comments

Post comment as a guest

0

Comments

    • No comments found