Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jetty web server has TRACE and OPTIONS methods enabled displayed as a warning in vulnerability scanners #386

Open
TylerDurden2019 opened this issue May 3, 2024 · 1 comment
Open

Jetty web server has TRACE and OPTIONS methods enabled displayed as a warning in vulnerability scanners #386

TylerDurden2019 opened this issue May 3, 2024 · 1 comment
Assignees
@nblair
Labels
enhancement

Comments

@TylerDurden2019
Copy link

Using a vulnerablity scanner to scan a system running Nexus version 3.67.1-01 or lower will pick up two issues.

  1. HTTP TRACE Method Enabled
ID 	http-trace-method-enabled 	Published 	Nov 1, 2004 	
Severity 	Severe (6) 	Added 	Nov 1, 2004 	
Risk Score 	696 	Modified 	Feb 13, 2015
CVSS 	(AV:N/AC:M/Au:N/C:P/I:P/A:N) 	CVSS Score 	5.8
	
Exploitability 	
Categories 	HTTP IAVM Web XSS
CVEs 	CVE-2004-2320 CVE-2004-2763 CVE-2005-3398 CVE-2006-4683 CVE-2007-3008 CVE-2008-7253 CVE-2009-2823 CVE-2010-0386

The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack.
  1. HTTP OPTIONS Method Enabled
ID 	http-options-method-enabled 	Published 	Oct 7, 2005 	
Severity 	Moderate (3) 	Added 	Aug 28, 2018 	
Risk Score 	586 	Modified 	Jan 15, 2019
CVSS 	(AV:N/AC:H/Au:N/C:P/I:N/A:N) 	CVSS Score 	2.6
	
Exploitability 	
Categories 	HTTP Web
CVEs 	

Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.

I appended the following to the file nexus-3.67.1-01\etc\jetty\nexus-web.xml before the </web-app> tag at the end of the file.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>OPTIONS</http-method>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>TRACE</http-method>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

</web-app>

This will disable the TRACE and OPTIONS methods.
Can this be added to the next build?
@TylerDurden2019 TylerDurden2019 changed the title Jetty web server has TRACE and OPTIONS methods enabled displayed as a warning in vulnerablity scanners Jetty web server has TRACE and OPTIONS methods enabled displayed as a warning in vulnerability scanners May 3, 2024
@nblair nblair added enhancement and removed pending labels May 7, 2024
@nblair
Copy link
Contributor

nblair commented May 7, 2024

Thanks for opening an issue @TylerDurden2019 - we'll research your suggestion and see what's possible. Off the top of my head, I'm not sure if any of the formats we support require support for those HTTP verbs, but we'll review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nblair nblair

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nblair @TylerDurden2019