search

sonatype / nexus-public

Sonatype Nexus Repository Open-source codebase mirror
https://www.sonatype.com/products/repository-oss-download
Eclipse Public License 1.0
1.96k stars 581 forks source link

Jetty web server has TRACE and OPTIONS methods enabled displayed as a warning in vulnerability scanners #386

Open TylerDurden2019 opened 7 months ago

TylerDurden2019 commented 7 months ago

Using a vulnerablity scanner to scan a system running Nexus version 3.67.1-01 or lower will pick up two issues.

1) HTTP TRACE Method Enabled

ID  http-trace-method-enabled   Published   Nov 1, 2004     
Severity    Severe (6)  Added   Nov 1, 2004     
Risk Score  696     Modified    Feb 13, 2015
CVSS    (AV:N/AC:M/Au:N/C:P/I:P/A:N)    CVSS Score  5.8

Exploitability  
Categories  HTTP IAVM Web XSS
CVEs    CVE-2004-2320 CVE-2004-2763 CVE-2005-3398 CVE-2006-4683 CVE-2007-3008 CVE-2008-7253 CVE-2009-2823 CVE-2010-0386

The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack.

2) HTTP OPTIONS Method Enabled

ID  http-options-method-enabled     Published   Oct 7, 2005     
Severity    Moderate (3)    Added   Aug 28, 2018    
Risk Score  586     Modified    Jan 15, 2019
CVSS    (AV:N/AC:H/Au:N/C:P/I:N/A:N)    CVSS Score  2.6

Exploitability  
Categories  HTTP Web
CVEs    

Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.

I appended the following to the file nexus-3.67.1-01\etc\jetty\nexus-web.xml before the </web-app> tag at the end of the file.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>OPTIONS</http-method>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>TRACE</http-method>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

</web-app>

This will disable the TRACE and OPTIONS methods. Can this be added to the next build?

nblair commented 6 months ago

Thanks for opening an issue @TylerDurden2019 - we'll research your suggestion and see what's possible. Off the top of my head, I'm not sure if any of the formats we support require support for those HTTP verbs, but we'll review.