Problem:
- Product Name: VisiBroker
- Product Version: 5.x and above
- Product Component: Gatekeeper
- Platform/OS Version: All
- JDK/Compiler Version: n.a.
VBE 5.x & 6.x: Gatekeeper allows HTTP TRACE and TRACK.
When running a Nessus scan on Gatekeeper process, one encounters a security issue for port 8088 (which is Gatekeeper's ex-HIOP listener port) -- it allows HTTP TRACE and TRACK methods.
As noted in Nessus' site that "servers supporting these methods are subject to cross-site-scripting attacks, dubbed XST for 'Cross-Site-Tracing' when used in conjunction with various weaknesses in browsers. At attach may use this flaw to trick a legitimate web users to give him their credentials"
Resolution:
Even though there is no specific restriction for TRACE method, but Gatekeeper only serves GET, PUT, POST messages (i.e. it only provides implementations for servicing these HTTP methods).
GateKeeper implements servlet related interfaces. It wraps plain java.net.URLConnection to process HTTP requests. but it does not process TRACE messages. HIOP ports (both ex-hiop and hiop_ts) can be disabled also. These 2 HIOP ports are provided only for the purpose of downloading IOR, Applet, when used as a standalone process (comparing to running as a servlet), and the ex-hiop port also can be used to process HIOP messages. Even though Gatekeeper understands HTTP, it is not designed to be a full fledged web-server.
Author: Henry Hwang
Support Case: 580678
#VisiBroker
#gatekeeper
#Security
