Uploaded image for project: 'JS - JobScheduler'
  1. JS - JobScheduler
  2. JS-1153

Disabling request method Trace in jetty plugin of JobScheduler to avoid xss exploits

    XMLWordPrintable

Details

    • Feature
    • Status: Approved (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 1.7
    • None
    • None

    Description

      Trace is used as an input data echo mechanism for the http protocol. This request method is commonly used for debug and other connection analysis activities.
      The http trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information contained in the request.

      Trace provides any easy to way to tell what an http client is sending and what the server is receiving. Apache, IIS, and iPlanet all support trace as defined by the HTTP/1.1 RFC and is currently enabled by default. Very few system administrators have disabled this request method either because the method posed no known risk, default settings were considered good enough or simply had no option to do so.

      But in fact there is a risk since your web server echoes sensitive information in TRACE requests.

      The standard way to disable trace in jetty is the configuration of the web.xml like

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>NoTrace</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>TRACE</http-method>
      </web-resource-collection>
      <auth-constraint>
      </auth-constraint>
      </security-constraint>

      This does not work with jetty running in JobScheduler.

      Attachments

        Activity

          People

            jz Joacim Zschimmer
            ur Uwe Risse
            Uwe Risse Uwe Risse
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: