[jboss-jira] [JBoss JIRA] (WFLY-4610) Disable HTTP TRACE method by default on https

Junier Lee (JIRA) issues at jboss.org
Fri Sep 22 04:22:00 EDT 2017 

    [ https://issues.jboss.org/browse/WFLY-4610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13467224#comment-13467224 ] 

Junier Lee commented on WFLY-4610:
----------------------------------

Hi Support,

I do have this VA

Current Wildfly is 9.0.2 Final
This is VA that i got hit by this version
https://www.tenable.com/plugins/index.php?view=single&id=11213

[standalone at localhost:9990 /] /subsystem=undertow/server=default-server/ht                                                                                                                   tp-listener=default:read-resource
{
    "outcome" => "success",
    "result" => {
        "allow-encoded-slash" => false,
        "allow-equals-in-cookie-value" => false,
        "always-set-keep-alive" => true,
        "buffer-pipelined-data" => true,
        "buffer-pool" => "default",
        "certificate-forwarding" => false,
        "decode-url" => true,
        "enable-http2" => false,
        "enabled" => true,
        "max-buffered-request-size" => 16384,
        "max-cookies" => 200,
        "max-header-size" => 1048576,
        "max-headers" => 200,
        "max-parameters" => 1000,
        "max-post-size" => 104857600L,
        "no-request-timeout" => undefined,
        "proxy-address-forwarding" => false,
        "read-timeout" => undefined,
        "receive-buffer" => undefined,
        "record-request-start-time" => false,
        "redirect-socket" => undefined,
        "request-parse-timeout" => undefined,
        "resolve-peer-address" => false,
        "send-buffer" => undefined,
        "socket-binding" => "http",
        "tcp-backlog" => undefined,
        "tcp-keep-alive" => undefined,
        "url-charset" => "UTF-8",
        "worker" => "default",
        "write-timeout" => undefined
    }
}
[standalone at localhost:9990 /]


Above i do not have any attribute to state disallowed methods for TRACE and TRACK.

How to i work around with it, since this version of mine will be Final Version and i want to have a workaround

Please assist



> Disable HTTP TRACE method by default on https
> ---------------------------------------------
>
>                 Key: WFLY-4610
>                 URL: https://issues.jboss.org/browse/WFLY-4610
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>            Reporter: Dan Hooper
>            Assignee: Stuart Douglas
>
> A vulnerability scan tool found that the HTTP TRACE method is enabled on our wildfly server.  I could not find any information about disabling TRACE on wildfly.  Previous versions of JBOSS had disabled TRACE by default.
> The problem seems to only exist when using HTTPS.
> I have linked to a stack overflow post about this topic.
> http://stackoverflow.com/questions/28568730/how-to-disable-trace-track-http-in-jboss-wildfly



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list