HTTP OPTIONS Method Enabled
search cancel

HTTP OPTIONS Method Enabled

book

Article ID: 279316

calendar_today

Updated On: 02-14-2024

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

The OPTIONS method provides a list of the methods that are supported by the web server; it represents a request for information about the communication options available on the request/response chain identified by the Request-URI. Enabling the trace method usually leads to disclosure of sensitive information. This vulnerability affects the Web Server

Environment

UIM 20.4.x /23.4

component: Operator console

Resolution

Do the following to make the OPTIONS method disabled in SAML web app. 


1.Go to IM/AC and disable the OC robot's wasp probe.
2.Go to OC robots installation location and open the file web.xml from the path <Nimsoft_Directory>\probes\service\wasp\webapps\samlsso\WEB-INF 
   after taking backup of this file
3.Find the tag </web-app> and paste the below configuration just above the tag and save file.
4.Activate wasp probe

 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>            
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>un restricted methods</web-resource-name>
            <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

 

Note: This fix will be part of DX UIM 20.4 CU10 /23.4CU1 release.