huayan889 Posted September 30, 2020 Share Posted September 30, 2020 使用1.90.0.1535编译的应用做安全扫描时发现有“启用了不安全的 HTTP 方法”,这个漏洞的影响是:可能会在 Web 服务器上上载、修改或删除 Web 页面、脚本和。如果使用 Tomcat修复很简单,直接修改 的 web.xml 就可以,但unigui不清楚怎样修复? <security-constraint> <web-resource-collection> <web-resource-name>fortune</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint></auth-constraint> </security-constraint> Quote Link to comment Share on other sites More sharing options...
huayan889 Posted November 15, 2020 Author Share Posted November 15, 2020 终于找到解决方法了,需然用AWS能扫出这漏洞,经验证后发现unigui本身就没实现HEAD、DELETEPUT、TRACE和OPTION这些功能,但默认返回200,安全工具根据返回状态判断命令执行成功。 知道原因后解决起来很简单,当执行HEAD、DELETE、PUT、TRACE和OPTION等命令时直接返回405就可以。 procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); begin if (ARequestInfo.CommandType =hcHEAD) or (ARequestInfo.CommandType =hcPUT) or (ARequestInfo.CommandType =hcTRACE) or (ARequestInfo.CommandType =hcOPTION) or (ARequestInfo.CommandType =hcDELETE) then begin Handled := false; AResponseInfo.ResponseNo:=405; AResponseInfo.CloseConnection:=true; AResponseInfo.CharSet := 'UTF-8'; AResponseInfo.ContentType := 'Text'; AResponseInfo.ContentText := '本软件不支持HEAD,DELETE,PUT,TRACE,OPTION等命令!'; end; end; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.