huayan889 Posted September 30, 2020 Share Posted September 30, 2020 使用1.90.0.1535编译的应用做安全扫描时发现有“启用了不安全的 HTTP 方法”,这个漏洞的影响是:可能会在 Web 服务器上上载、修改或删除 Web 页面、脚本和。如果使用 Tomcat修复很简单,直接修改 的 web.xml 就可以,但unigui不清楚怎样修复? <security-constraint> <web-resource-collection> <web-resource-name>fortune</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint></auth-constraint> </security-constraint> Link to comment Share on other sites More sharing options...
huayan889 Posted November 15, 2020 Author Share Posted November 15, 2020 终于找到解决方法了,需然用AWS能扫出这漏洞,经验证后发现unigui本身就没实现HEAD、DELETEPUT、TRACE和OPTION这些功能,但默认返回200,安全工具根据返回状态判断命令执行成功。 知道原因后解决起来很简单,当执行HEAD、DELETE、PUT、TRACE和OPTION等命令时直接返回405就可以。 procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); begin if (ARequestInfo.CommandType =hcHEAD) or (ARequestInfo.CommandType =hcPUT) or (ARequestInfo.CommandType =hcTRACE) or (ARequestInfo.CommandType =hcOPTION) or (ARequestInfo.CommandType =hcDELETE) then begin Handled := false; AResponseInfo.ResponseNo:=405; AResponseInfo.CloseConnection:=true; AResponseInfo.CharSet := 'UTF-8'; AResponseInfo.ContentType := 'Text'; AResponseInfo.ContentText := '本软件不支持HEAD,DELETE,PUT,TRACE,OPTION等命令!'; end; end; Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now