I keep getting HTTP TRACE / TRACK Methods Enabled vulnerability in Coldfusion server. Any suggestions to fix this would be of great help.
Asked
Active
Viewed 966 times
0
-
1If you do not use those methods then disable them. Just Google for something like `disable HTTP TRACE / TRACK Methods`. – Miguel-F Nov 15 '17 at 12:47
1 Answers
0
The blanket disallowing of these methods is more the concern of the HTTP server (IIS, Apache, NGINX ) than the application server (Coldfusion, Lucee). There may be use cases where these HTTP verbs might be legitimately in use.
You can, however, handle this from within the onRequestStart method of Application.cfc with a few lines of code.
var disallowVerbs = [ "TRACE", "TRACK" ];
if( arrayContains( disallowVerbs, cgi.request_method ) ){
cfheader( statusCode=403, statusText="Method Not Allowed" );
}
JClausen
- 321
- 2
- 2