Jump to content

怎样修复UNIGUI安全扫描出现“启用了不安全的 HTTP 方法”的漏洞?


huayan889

Recommended Posts

使用1.90.0.1535编译的应用做安全扫描时发现有“启用了不安全的 HTTP 方法”,这个漏洞的影响是:可能会在 Web 服务器上上载、修改或删除 Web 页面、脚本和。如果使用 Tomcat修复很简单,直接修改 的 web.xml 就可以,但unigui不清楚怎样修复?

<security-constraint>
 <web-resource-collection>
 <web-resource-name>fortune</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>PUT</http-method>
 <http-method>DELETE</http-method>
 <http-method>HEAD</http-method>
 <http-method>OPTIONS</http-method>
 <http-method>TRACE</http-method>
 </web-resource-collection>
 <auth-constraint></auth-constraint>
 </security-constraint>
 

1.png

2.png

3.png

4.png

31.png

Link to comment
Share on other sites

  • 1 month later...
终于找到解决方法了,需然用AWS能扫出这漏洞,经验证后发现unigui本身就没实现HEAD、DELETEPUT、TRACE和OPTION这些功能,但默认返回200,安全工具根据返回状态判断命令执行成功。
知道原因后解决起来很简单,当执行HEAD、DELETE、PUT、TRACE和OPTION等命令时直接返回405就可以。
procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);
begin
  if (ARequestInfo.CommandType =hcHEAD) or
   (ARequestInfo.CommandType =hcPUT) or
   (ARequestInfo.CommandType =hcTRACE) or
   (ARequestInfo.CommandType =hcOPTION) or
   (ARequestInfo.CommandType =hcDELETE) then
  begin
      Handled := false;
      AResponseInfo.ResponseNo:=405;
      AResponseInfo.CloseConnection:=true;
      AResponseInfo.CharSet := 'UTF-8';
      AResponseInfo.ContentType := 'Text';
      AResponseInfo.ContentText := '本软件不支持HEAD,DELETE,PUT,TRACE,OPTION等命令!';
  end;
end;
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...