huayan889 Posted November 19, 2020 Posted November 19, 2020 使用HyperServer后同样会出现“做安全扫描时发现有“启用了不安全的 HTTP 方法”的问题,官方能否可以参考这个方法修复一下? After using hyperserver, there will also be the problem that "unsafe HTTP method is enabled" during security scanning. Can the official refer to this method to fix it? procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); begin if (ARequestInfo.CommandType =hcHEAD) or (ARequestInfo.CommandType =hcPUT) or (ARequestInfo.CommandType =hcTRACE) or (ARequestInfo.CommandType =hcOPTION) or (ARequestInfo.CommandType =hcDELETE) then begin Handled := false; AResponseInfo.ResponseNo:=405; AResponseInfo.CloseConnection:=true; end; end; Quote
Administrators Farshad Mohajeri Posted November 19, 2020 Administrators Posted November 19, 2020 Noted for further investigation. Quote
huayan889 Posted November 20, 2020 Author Posted November 20, 2020 需然用AWS能扫出这漏洞,经验证后发现unigui本身就没实现HEAD、DELETEPUT、TRACE和OPTION这些功能,但默认返回200,安全工具根据返回状态判断命令执行成功。知道原因后解决起来很简单,当执行HEAD、DELETE、PUT、TRACE和OPTION等命令时直接返回405就可以。 However, AWS can be used to scan this vulnerability. After verification, it is found that unigui does not implement the functions of head, delete put, trace and option, but it returns 200 by default. The security tool judges that the command is executed successfully according to the return status. It is very easy to solve the problem after knowing the cause. When executing the commands such as head, delete, put, trace and option, you can directly return 405. Quote
Administrators Farshad Mohajeri Posted December 2, 2020 Administrators Posted December 2, 2020 Quote After verification, it is found that unigui does not implement the functions of head, delete put, trace and option, but it returns 200 by default. Yes, those commands are not handled internally. I will add a fix so those commands will return 405 if not handled by user code. 1 Quote
huayan889 Posted December 16, 2020 Author Posted December 16, 2020 On 12/3/2020 at 3:22 AM, Farshad Mohajeri said: Yes, those commands are not handled internally. I will add a fix so those commands will return 405 if not handled by user code. Hello, I see that v1.90.0.1541 has been added: [ung-3180] - unhandled HTTP commands should return 405 How to set it to work? Quote
Administrators Farshad Mohajeri Posted December 16, 2020 Administrators Posted December 16, 2020 Hello It is enabled by default. Quote
huayan889 Posted December 16, 2020 Author Posted December 16, 2020 53 minutes ago, Farshad Mohajeri said: Hello It is enabled by default. This is what I tested with the latest version Quote
Administrators Farshad Mohajeri Posted December 16, 2020 Administrators Posted December 16, 2020 Are you handling onhttpcommand event in your app? Also you must upgrade both your hyper server and node applications to new version. Quote
huayan889 Posted December 16, 2020 Author Posted December 16, 2020 56 minutes ago, Farshad Mohajeri said: 您是否正在处理应用中的 httpcommand 事件? 此外,还必须将超级服务器和节点应用程序升级到新版本。 hyper server(1.90.0.1541) and node applications is new version(1.90.0.1541) Quote
huayan889 Posted December 16, 2020 Author Posted December 16, 2020 1 minute ago, huayan889 said: hyper server(1.90.0.1541) and node applications is new version(1.90.0.1541) Quote
Administrators Farshad Mohajeri Posted December 16, 2020 Administrators Posted December 16, 2020 OK we will check. Quote
Administrators Farshad Mohajeri Posted December 16, 2020 Administrators Posted December 16, 2020 Confirmed. Issue is fixed and will be available in the next build. Quote
huayan889 Posted December 16, 2020 Author Posted December 16, 2020 11 hours ago, Farshad Mohajeri said: Confirmed. Issue is fixed and will be available in the next build. thank Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.