[JBoss JIRA] (WFLY-4610) Disable HTTP TRACE method by default on https

Friday, 22 September 2017

    [
https://issues.jboss.org/browse/WFLY-4610?page=com.atlassian.jira.plugin....
] 

Junier Lee commented on WFLY-4610:
----------------------------------

Hi Support,

I do have this VA

Current Wildfly is 9.0.2 Final
This is VA that i got hit by this version
https://www.tenable.com/plugins/index.php?view=single&id=11213

[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/ht                

       tp-listener=default:read-resource
{
    "outcome" => "success",
    "result" => {
        "allow-encoded-slash" => false,
        "allow-equals-in-cookie-value" => false,
        "always-set-keep-alive" => true,
        "buffer-pipelined-data" => true,
        "buffer-pool" => "default",
        "certificate-forwarding" => false,
        "decode-url" => true,
        "enable-http2" => false,
        "enabled" => true,
        "max-buffered-request-size" => 16384,
        "max-cookies" => 200,
        "max-header-size" => 1048576,
        "max-headers" => 200,
        "max-parameters" => 1000,
        "max-post-size" => 104857600L,
        "no-request-timeout" => undefined,
        "proxy-address-forwarding" => false,
        "read-timeout" => undefined,
        "receive-buffer" => undefined,
        "record-request-start-time" => false,
        "redirect-socket" => undefined,
        "request-parse-timeout" => undefined,
        "resolve-peer-address" => false,
        "send-buffer" => undefined,
        "socket-binding" => "http",
        "tcp-backlog" => undefined,
        "tcp-keep-alive" => undefined,
        "url-charset" => "UTF-8",
        "worker" => "default",
        "write-timeout" => undefined
    }
}
[standalone@localhost:9990 /]

Above i do not have any attribute to state disallowed methods for TRACE and TRACK.

How to i work around with it, since this version of mine will be Final Version and i want
to have a workaround

Please assist

...
 Disable HTTP TRACE method by default on https
 ---------------------------------------------

                 Key: WFLY-4610
                 URL: https://issues.jboss.org/browse/WFLY-4610
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
            Reporter: Dan Hooper
            Assignee: Stuart Douglas

 A vulnerability scan tool found that the HTTP TRACE method is enabled on our wildfly
server.  I could not find any information about disabling TRACE on wildfly.  Previous
versions of JBOSS had disabled TRACE by default.
 The problem seems to only exist when using HTTPS.
 I have linked to a stack overflow post about this topic.

http://stackoverflow.com/questions/28568730/how-to-disable-trace-track-ht...

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006