[Zope] Re: Does Zope support HTTP Trace method??

Tres Seaver tseaver at zope.com
Fri Mar 11 12:11:46 EST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jay Zeemer wrote:

| Actually if you query the Zope web service to see what it supports it
| tells you:
|
| Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE,
| PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK

Most Zope objects are willing to respond to a TRACE request, but the
implementation doesn't actually do what TRACE is mandated to:

$ telnet www.zope.org 80
Trying 63.240.213.171...
Connected to www.zope.org.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: www.zope.org

HTTP/1.0 405 Method Not Allowed

The code (in webdav.Resource), looks like so:

~    def TRACE(self, REQUEST, RESPONSE):
~        """Return the HTTP message received back to the client as the
~        entity-body of a 200 (OK) response. This will often usually
~        be intercepted by the web server in use. If not, the TRACE
~        request will fail with a 405 (Method Not Allowed), since it
~        is not often possible to reproduce the HTTP request verbatim
~        from within the Zope environment."""
~        self.dav__init(REQUEST, RESPONSE)
~        raise MethodNotAllowed, \
~          'Method not supported for this resource.'

ZServer / ZPublisher don't add any support for TRACE, so you have no
exploit to worry about.

| TRACE allows for some XSS problems and I just want to make sure I
| have the server locked down against as many vulnerbilities as I can.
| I can not find any mention of the Zope Web Server supporting TRACE so
| I am trying to find out if it actually does support it or if its just
| reacting to the query.
|
| The tool I used is called Nikto, its just an HTTP assult tool.  It
| looks through a predefined list like Nessus, but restricts its self
| to possible HTTP issues.  It also plays a lot nicer on a network :)


Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMdFSGqWXf00rNCgRAp5mAJ4vaJqvChUGQL2tsVIcKGRth5TuuQCfVWil
MBTKOQ1or8pRrRE7MVBz8eo=
=dzHM
-----END PGP SIGNATURE-----

More information about the Zope mailing list