Although this is not CGIDEV programming, I thought some of you may be
dealing with server compliance scan issues as well. If you accept
credit/debit card payments over the internet, you probably have
received or will receive notification from card companies (Discover,
Visa, etc.) regarding compliance scanning to assure your server does
not have vulnerability to various attacks.
If your server isn't accessible to the outside world, you probably
want to skip all of this.
Cross-site scripting (HTTP TRACE) is the vulnerability that kept
showing up on our report during monthly compliance scans even though
we kept trying different things to "patch the hole." Our compliance
scanning company tagged it as low vulnerability, so we just kept
working towards a solution rather than dropping everything to resolve
it.
We are at OS V5R2 using the Apache server, and this is what finally
worked:
Make the RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
rather than RewriteCond %{REQUEST_METHOD} ^TRACE
or rather than RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
(Apparently these latter two work for most servers or
server/vulnerability scan combinations, because practically all the
documentation I found showed that as the fix. Here is a link to the
one site I found that finally gave us the answer:)
http://www-1.ibm.com/support/docview.wss?uid=swg21154731
The entries in the config file will look like this:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* -[F]
If you have virtual hosts that also get scanned, you will need to
make sure this is either hard coded for them as well or "inherited."
If you are like me and don't mess with the configuration very often,
these steps using the Admin GUI (V5R2) may be helpful:
This will be under the "Manage" tab and select your "Server"
and "Server area", of course.
Under "Server Properties" > "URL Mapping" > "URL Rewriting" tab.
"URL rewriting" Enabled
"URL rewriting rules:" You will need to Add a Condition and a Rule.
For Condition '%{REQUEST_METHOD}' under "Pattern to match or test
string" and '!^(GET|POST|HEAD)' under "New URL condition or pattern"
For Rule '.*' under "Pattern to match or test string" and '-[F]'
under "New URL condition or pattern". (Leave all the ' out of
course.)
When done, click the "Apply" button.
You will also need to restart the server. (Wait if you have virtual
hosts to change.)
If you did all this to the Global configuration, and you do have
virtual hosts this needs to apply to, you will need to make sure they
inherit:
Select the virtual host under the "Server area"
You will need to be under "URL Mapping" > "URL Rewriting" again.
"URL rewriting" Enabled
Check the box for "Inherit rewrite configuration from containing
contexts"
Click the "Apply" button, and restart the server.
I only turned on the logging for one virtual host during the general
time frame I knew the scan would be done because this adds a lot of
log entries. Logging isn't necessary for all this to work; I just
wanted to see what the scanning company was actually doing. NOTICE
that you must create a log file IF YOU TURN ON LOGGING for the
rewrite engine.
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/Easy400Group/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
