1 漏洞说明及复现
1.1 漏洞说明
1.2 漏洞复现
执行命令 curl -v -X TRACE IP:PORT ,可以看到200响应,即存在trace漏洞。
[root@vxdfbdbgggsd ~]# curl -v -X TRACE 192.168.21.237:8081
·······省略以上·······
> TRACE HTTP://192.168.21.237:8081/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.21.237:8081
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK (这里的状态为200)
< Content-Type: message/http
< Content-Length: 216
< Date: Wed, 10 May 2023 01:28:03 GMT
< X-Cache: MISS from adadavfbbbf
< Via: 1.1 adadavfbbbf(squid/4.15)
< Connection: keep-alive
<
·······省略以下·······
[root@vxdfbdbgggsd ~]#
2 漏洞修复
springboot内嵌undertow容器时,pom中存在undertow相关依赖:
<dependency>
<groupId>org.springframwork.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>
新增一个配置类:
import io.undertow.server.HandlerWrapper;
import io.undertow.server.HttpHandler;
import io.undertow.server.handlers.DisallowedMethodsHandler;
import io.undertow.util.HttpString;
import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Configuration;
@Configuration
public class UndertowWebServerCustomizerConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory>{
@Override
public void customize(UndertowServletWebServerFactory factory){
factory.addDeploymentInfoCustomizers(deploymentInfo ->{
deploymentInfo.addInitualHandlerChainWrapper(new HandlerWrapper(){
@Override
public HttpHandler wrap(HttpHandler handler){
HttpString[] disallowerHttpMethods = {HttpString.tryFromString("TRACE"),HttpString.tryFromString("TRACK")
};
return new DisallowedMethodsHandler(handler,disallowerHttpMethods );
}
});
});
}
}
重启服务即可。
3 漏洞修复后验证
可以看到,已经没有200响应了。
[root@vxdfbdbgggsd ~]# curl -v -X TRACE 192.168.21.237:8081
* About to connect() to proxy 192.168.21.238 port 3128 (#0)
* Trying 192.168.21.238...
* Connected to 192.168.21.238 (192.168.21.238) port 3128 (#0)
> TRACE HTTP://192.168.21.237:8081/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.21.237:8081
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 405 Method Not Allowed
< Content-Length: 0
< Date: Wed, 17 May 2023 10:44:33 GMT
< X-Cache: MISS from adadavfbbbf
< Via: 1.1 adadavfbbbf (squid/4.15)
< Connection: keep-alive
<
* Connection #0 to host 192.168.21.238 left intact
[root@vxdfbdbgggsd ~]#