By default, the Domino web server supports the HTTP TRACE method. Retina Network Security Scanner (and probably other security vulnerability scanners) treat this as a vulnerability because for some web servers, HTTP TRACE can be used as a point of attack for information disclosure.
IBM has a technote out there called "Are there any known vulnerabilites in the Domino server related to HTTP Trace method?" . The technote states that there are no known vulnerabilities with Domino R6's HTTP TRACE method, but they also include instructions on how to disable it if the system owner wants. This is a good thing since it helps knock another hit off on a network scan by the security folks...it's much faster and easier to make that hit go away if you don't need it than it is to explain why it's there and that it's not necessarily a big deal.
The easy way to disable the TRACE method is to uncheck the TRACE box in the Allowed Methods section in the Configuration tab of the site's Internet Site document if the site is using them. Not all Domino web sites use Internet Site documents and some can't (Quickplaces still can't, nor can Sametime) since there is no Allowed Methods section in a server doc.
For non Internet Site doc Domino sites, you need to add "HTTPDisableMethods=TRACE" to the notes.ini. This will disable the method for all sites on the server, by the way, so you can't pick and choose if you're not using Internet Site docs. You can add other http methods here if you want to as well but that's out of the scope of this SnTT posting.
Technorati Tags: Domino, Lotus, Security, show-n-tell thursday, Technology
Leave a comment