JFinal项目漏洞HTTP TRACE / TRACK Methods All

工程是用的JFinal已经升级到最新版本,使用Nessus扫描漏洞,出现漏洞HTTP TRACE / TRACK Methods All

image.png

image.png

一下是扫描时后台日志:

image.png

评论区

zhangtianxiao

2020-09-15 17:51

........

zeroabc

2020-09-16 11:24

老哥,我也这边也有类似的漏洞报告,有解决办法吗

zeroabc

2020-09-18 16:36

@JFinal 请问这个HTTP TRACE怎么关闭

zeroabc

2020-09-18 17:10

在看这个帖子,貌似有思路https://blog.csdn.net/nklinsirui/article/details/108540403

zeroabc

2020-09-18 19:05

@JFinal 成功了!!詹总牛逼!在undertow.start();前加入如下代码

undertow.onDeploy((classLoader, deploymentInfo) -> {
deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() {

@Override
public HttpHandler wrap(HttpHandler handler) {
HttpString[] disallowedHttpMethods = { HttpString.tryFromString("TRACE"),
HttpString.tryFromString("TRACK") };
return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
}
});
});

zeroabc

2020-09-18 19:05

C:\WINDOWS\system32>curl -v -X TRACE http://localhost/check/captcha
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE /check/captcha HTTP/1.1
> Host: localhost
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Cache-Control: no-cache
< Set-Cookie: JSESSIONID=4-YBgJ5YFXMSSVkquALBZ1m3lMO9L-ynaPGJ601D; path=/
< Server: JFinal
< Pragma: no-cache
< Date: Fri, 18 Sep 2020 08:45:44 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
< Content-Type: image/jpeg
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: " to save to a file.
* Failed writing body (0 != 1365)
* Failed writing data
* Closing connection 0

↓修改后↓

C:\WINDOWS\system32>curl -v -X TRACE http://localhost/check/captcha
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE /check/captcha HTTP/1.1
> Host: localhost
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Server: JFinal
< Content-Length: 0
< Date: Fri, 18 Sep 2020 09:05:24 GMT
<
* Connection #0 to host localhost left intact