Disable HTTP Trace

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable HTTP Trace

Michael Larue-2
Tuesday, August 8, 2017 at 9:25:46 PM

Hi!

Is there a way to capture and disable (or send a 403 Forbidden) command in response to a HTTP TRACE request in Active4D?

Or is this something handled by the 4D Web Server (before it gets to Active4D)?

And if it's handled by 4D, is there a way to do it there? I think 4D v16 has this disabled now, but am using 4D v15.4 at this time.

Trying to come up with a quick solution for a security scan issue...

Many thanks!

Michael Larue
Dimension IV Consulting

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTTP Trace

John Bellos
Hi Michael,

This is likely controlled through 4D in your application, not Active4D. Take a look at this KB Document. If you're on v15.4 it can be disabled:
http://kb.4d.com/assetid=77374


-
John Bellos

________________________________________
From: Active4D-dev [[hidden email]] on behalf of Michael Larue [[hidden email]]
Sent: Tuesday, August 08, 2017 3:28 PM
To: Active4D Developer Discussion List
Subject: [Active4d-dev] Disable HTTP Trace

Tuesday, August 8, 2017 at 9:25:46 PM

Hi!

Is there a way to capture and disable (or send a 403 Forbidden) command in response to a HTTP TRACE request in Active4D?

Or is this something handled by the 4D Web Server (before it gets to Active4D)?

And if it's handled by 4D, is there a way to do it there? I think 4D v16 has this disabled now, but am using 4D v15.4 at this time.

Trying to come up with a quick solution for a security scan issue...

Many thanks!

Michael Larue
Dimension IV Consulting

_______________________________________________
Active4D-dev mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA&e=
Archives: https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dnabble.aparajitaworld.com_&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=qTs5tUTenPFukRUO3Mx1rHb-jVRDwCPbzsw8MwtsCl8&e=
_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTTP Trace

Michael Larue-2
Tuesday, August 8, 2017 at 10:05:24 PM

Hi John,

Thank you very much for your reply!

Just the answer I was looking for!

Until... I just realized that the R releases are NOT available in the dot releases, but are "rolled up" into the next version (16).

And, looking at the docs for 15.4 for this command, in fact it is not supported:

http://livedoc.4d.com/4D-Language-Reference-15.4/Web-Server/WEB-SET-OPTION.301-3275012.en.html

Bummer!

Anyway, I'm looking for a way to do this without upgrading (if possible); looks like I'm going to have to somehow intercept this in 4D, as I'm guessing it will be executed by the 4D Web Server prior to getting to Active4D.

It may be, however, that 4D executes this before any code is executed anywhere, in which case upgrading is the only option. Just checking, however, to see if anybody has run into this and knows a simple way to disable it.

(I'm looking through On Web Connection, but it's not clear that the TRACE command triggers anything there; does anybody know?)

I did check the following on the 4D v15.4 web server:

> curl -v -X OPTIONS http://www.4Dwebsite.com
> * About to connect() to www.4Dwebsite.com port 80 (#0)
> *   Trying XXX.XXX.XXX.XXX...
> * connected
> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0)
> > OPTIONS / HTTP/1.1
> > User-Agent: curl/7.28.0
> > Host: www.p5events.com
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Accept-Ranges: bytes
> < Allow: GET, POST, OPTIONS, HEAD
> < Connection: keep-alive
> < Content-Length: 0
> < Content-Type: text/html; charset=utf-8
> < Date: Tue, 08 Aug 2017 19:48:07 GMT
> < Expires: Tue, 08 Aug 2017 19:48:07 GMT
> < Server: 4D/15.0.4
> <
> * Connection #0 to host www.4Dwebsite.com left intact
> * Closing connection #0

and from the above (the ALLOW line), supposedly TRACE isn't allowed. However, when running the following:

> curl -v -X TRACE http://www.4Dwebsite.com
> * About to connect() to www.4Dwebsite.com port 80 (#0)
> *   Trying XXX.XXX.XXX.XXX...
> * connected
> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0)
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.28.0
> > Host: www.p5events.com
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Accept-Ranges: bytes
> < Connection: keep-alive
> < Content-Length: 82
> < Content-Type: message/http
> < Date: Tue, 08 Aug 2017 19:47:28 GMT
> < Expires: Tue, 08 Aug 2017 19:47:28 GMT
> < Pragma: no-cache
> < Server: 4D/15.0.4
> <
> TRACE / HTTP/1.1
> Accept: */*
> Host: www.4Dwebsite.com
> User-Agent: curl/7.28.0
>
> * Connection #0 to host www.4Dwebsite.com left intact
> * Closing connection #0

sadly, it's not giving an 403 Forbidden error, but happily responding with a 200 code... :-(

(not sure if this is the way it's supposed to work, but you'd think OPTIONS would reflect the options available...)

Anyway, again, if anybody has any advice on how to solve this issue (disable the HTTP TRACE command in 4D v15.4), would be greatly appreciated!

Cheers!

--Mike--

---------------------

On Aug 8, 2017, at 9:31 PM, Bellos, John <[hidden email]> wrote:

> Hi Michael,
>
> This is likely controlled through 4D in your application, not Active4D. Take a look at this KB Document. If you're on v15.4 it can be disabled:
> http://kb.4d.com/assetid=77374
>
>
> -
> John Bellos
>
> ________________________________________
> From: Active4D-dev [[hidden email]] on behalf of Michael Larue [[hidden email]]
> Sent: Tuesday, August 08, 2017 3:28 PM
> To: Active4D Developer Discussion List
> Subject: [Active4d-dev] Disable HTTP Trace
>
> Tuesday, August 8, 2017 at 9:25:46 PM
>
> Hi!
>
> Is there a way to capture and disable (or send a 403 Forbidden) command in response to a HTTP TRACE request in Active4D?
>
> Or is this something handled by the 4D Web Server (before it gets to Active4D)?
>
> And if it's handled by 4D, is there a way to do it there? I think 4D v16 has this disabled now, but am using 4D v15.4 at this time.
>
> Trying to come up with a quick solution for a security scan issue...
>
> Many thanks!
>
> Michael Larue
> Dimension IV Consulting
>
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA&e=
> Archives: https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dnabble.aparajitaworld.com_&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=qTs5tUTenPFukRUO3Mx1rHb-jVRDwCPbzsw8MwtsCl8&e=
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTTP Trace

Aparajita Fishman
You'll have to trap TRACE in 4D's On Web Connection method, it isn't supported by Active4D.

> On Aug 8, 2017, at 2:41 PM, Michael Larue <[hidden email]> wrote:
>
> Tuesday, August 8, 2017 at 10:05:24 PM
>
> Hi John,
>
> Thank you very much for your reply!
>
> Just the answer I was looking for!
>
> Until... I just realized that the R releases are NOT available in the dot releases, but are "rolled up" into the next version (16).
>
> And, looking at the docs for 15.4 for this command, in fact it is not supported:
>
> http://livedoc.4d.com/4D-Language-Reference-15.4/Web-Server/WEB-SET-OPTION.301-3275012.en.html
>
> Bummer!
>
> Anyway, I'm looking for a way to do this without upgrading (if possible); looks like I'm going to have to somehow intercept this in 4D, as I'm guessing it will be executed by the 4D Web Server prior to getting to Active4D.
>
> It may be, however, that 4D executes this before any code is executed anywhere, in which case upgrading is the only option. Just checking, however, to see if anybody has run into this and knows a simple way to disable it.
>
> (I'm looking through On Web Connection, but it's not clear that the TRACE command triggers anything there; does anybody know?)
>
> I did check the following on the 4D v15.4 web server:
>
>> curl -v -X OPTIONS http://www.4Dwebsite.com
>> * About to connect() to www.4Dwebsite.com port 80 (#0)
>> *   Trying XXX.XXX.XXX.XXX...
>> * connected
>> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0)
>>> OPTIONS / HTTP/1.1
>>> User-Agent: curl/7.28.0
>>> Host: www.p5events.com
>>> Accept: */*
>>>
>> < HTTP/1.1 200 OK
>> < Accept-Ranges: bytes
>> < Allow: GET, POST, OPTIONS, HEAD
>> < Connection: keep-alive
>> < Content-Length: 0
>> < Content-Type: text/html; charset=utf-8
>> < Date: Tue, 08 Aug 2017 19:48:07 GMT
>> < Expires: Tue, 08 Aug 2017 19:48:07 GMT
>> < Server: 4D/15.0.4
>> <
>> * Connection #0 to host www.4Dwebsite.com left intact
>> * Closing connection #0
>
> and from the above (the ALLOW line), supposedly TRACE isn't allowed. However, when running the following:
>
>> curl -v -X TRACE http://www.4Dwebsite.com
>> * About to connect() to www.4Dwebsite.com port 80 (#0)
>> *   Trying XXX.XXX.XXX.XXX...
>> * connected
>> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0)
>>> TRACE / HTTP/1.1
>>> User-Agent: curl/7.28.0
>>> Host: www.p5events.com
>>> Accept: */*
>>>
>> < HTTP/1.1 200 OK
>> < Accept-Ranges: bytes
>> < Connection: keep-alive
>> < Content-Length: 82
>> < Content-Type: message/http
>> < Date: Tue, 08 Aug 2017 19:47:28 GMT
>> < Expires: Tue, 08 Aug 2017 19:47:28 GMT
>> < Pragma: no-cache
>> < Server: 4D/15.0.4
>> <
>> TRACE / HTTP/1.1
>> Accept: */*
>> Host: www.4Dwebsite.com
>> User-Agent: curl/7.28.0
>>
>> * Connection #0 to host www.4Dwebsite.com left intact
>> * Closing connection #0
>
> sadly, it's not giving an 403 Forbidden error, but happily responding with a 200 code... :-(
>
> (not sure if this is the way it's supposed to work, but you'd think OPTIONS would reflect the options available...)
>
> Anyway, again, if anybody has any advice on how to solve this issue (disable the HTTP TRACE command in 4D v15.4), would be greatly appreciated!
>
> Cheers!
>
> --Mike--
>
> ---------------------
>
> On Aug 8, 2017, at 9:31 PM, Bellos, John <[hidden email]> wrote:
>
>> Hi Michael,
>>
>> This is likely controlled through 4D in your application, not Active4D. Take a look at this KB Document. If you're on v15.4 it can be disabled:
>> http://kb.4d.com/assetid=77374
>>
>>
>> -
>> John Bellos
>>
>> ________________________________________
>> From: Active4D-dev [[hidden email]] on behalf of Michael Larue [[hidden email]]
>> Sent: Tuesday, August 08, 2017 3:28 PM
>> To: Active4D Developer Discussion List
>> Subject: [Active4d-dev] Disable HTTP Trace
>>
>> Tuesday, August 8, 2017 at 9:25:46 PM
>>
>> Hi!
>>
>> Is there a way to capture and disable (or send a 403 Forbidden) command in response to a HTTP TRACE request in Active4D?
>>
>> Or is this something handled by the 4D Web Server (before it gets to Active4D)?
>>
>> And if it's handled by 4D, is there a way to do it there? I think 4D v16 has this disabled now, but am using 4D v15.4 at this time.
>>
>> Trying to come up with a quick solution for a security scan issue...
>>
>> Many thanks!
>>
>> Michael Larue
>> Dimension IV Consulting
>>
>> _______________________________________________
>> Active4D-dev mailing list
>> [hidden email]
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA&e=
>> Archives: https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dnabble.aparajitaworld.com_&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=qTs5tUTenPFukRUO3Mx1rHb-jVRDwCPbzsw8MwtsCl8&e=
>> _______________________________________________
>> Active4D-dev mailing list
>> [hidden email]
>> http://list.aparajitaworld.com/listinfo/active4d-dev
>> Archives: http://active4d-nabble.aparajitaworld.com/
>
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/