Java Question rdc.jar source code

[Ron Davey]

We are having issues with pci compliance and 'Trace'. We would like to try Jetty version 9 but are unable to get it to work with our rdc.jar. Is it possible to get the souce code for the rdc.jar or can it be compiled to use the new Jatty and / or c3p0?

 

[Erel]

RDC is based on Jetty 7.4.2. This is a stable and mature version of Jetty. What is the exact problem?

The source code is currently not available.

 

[Ron Davey]

RDC is based on Jetty 7.4.2. This is a stable and mature version of Jetty. What is the exact problem?

The source code is currently not available.

To ensure PCI compliance one of our customers is running a 'SecurityMetrics' program. The results of this program are as follows:

Description: HTTP TRACE / TRACK Methods Allowed

Synopsis: Debugging functions are enabled on the remote web server.

Impact: The remote web server supports the TRACE and/or TRACK


methods. TRACE and TRACK are HTTP methods that are used to debug


web server connections.


See also :


http://www.cgisecurity.com/whitehat-mirror/WHWhitePaper_


XST_ebook.pdf http://www.apacheweek.com/issues


/03-01-24 http://download.oracle.com/sunalerts/1000718.1.html


Data Received: SecurityMetrics sent the following TRACE request :


------------------------------ snip ------------------------------ TRACE


SecurityMetrics https://www.securitymetrics.com/sm/portal/scans/5332977/print


/SecurityMetrics1387329935.html HTTP/1.1 Connection: Close Host:


74.7.44.114 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible;


MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/xxbitmap,


image/jpeg, image/pjpeg, image/png, */* Accept-Language: en


Accept- Charset: iso-8859-1,*,utf-8


------------------------------ snip ------------------------------


and received the following response from the remote server :


------------------------------ snip ------------------------------ HTTP/1.1 200 OK


Content-Type: message/http Content-Length: 306 Connection: close


Server: Jetty(7.4.2.v20110526)


TRACE /SecurityMetrics1387329935.html HTTP/1.1 Connection: Close


Host: 74.7.44.114 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible;


MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/xxbitmap,


image/jpeg, image/pjpeg, image/png, */* Accept-Language: en


Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip


------------------------------


Resolution: Disable these methods. Refer to the plugin output for more


information.


Risk Factor: Medium/ CVSS2 Base Score: 5.8

The score of 5.8 results in our application failing. We had the customer turn off any trace in Java, we also got a copy of the c3p0 source and compiled a version that turned debugging off and set the trace level to 0. All of these changes had no effect on the above scan. I was reading that this problem has been resolved in a later version of Jetty. (maybe version 9).

It would be appreciated if you could help

Thanks Ron

 

[Erel]

I was reading that this problem has been resolved in a later version of Jetty. (maybe version 9).

Can you post a link to this reference?

Have you considered using a reverse proxy to "hide" RDC?

 

[Ron Davey]

Can you post a link to this reference?

Have you considered using a reverse proxy to "hide" RDC?

I was wrong it says that it was fixed in Jetty6.

http://jetty.4.x6.nabble.com/Disable-HTTP-TRACE-in-Jetty-5-x-td12964.html

Can you tell me more about the reverse proxy and if this will solve the problem?

 

[Erel]

Reverse proxy: http://en.wikipedia.org/wiki/Reverse_proxy

With a reverse proxy RDC is not directly accessible from outside. Instead the connections are made to the main web server which acts as a proxy to RDC.

For example the search engine on this site is configured this way (you cannot have two servers listen to the same port).

 

[Ron Davey]

Reverse proxy: http://en.wikipedia.org/wiki/Reverse_proxy

With a reverse proxy RDC is not directly accessible from outside. Instead the connections are made to the main web server which acts as a proxy to RDC.

For example the search engine on this site is configured this way (you cannot have two servers listen to the same port).

I will forward this information to our customers IT company. But I want to be sure that what we are telling them is that the RDC is 'NOT PCI compliant'. If this is the case do you know of any alternatives that we can use that will allow us to continue to use basic4android that would satisfy the PCI compliance without having to use a reverse proxy.

Thanks

 

[Erel]

This is not exactly what I wrote. You wrote that there was an issue that was fixed in Jetty 6. RDC uses Jetty 7 so this issue is fixed.


Only POST and GET requests are supported by RDC.

 

[Ron Davey]

This is not exactly what I wrote. You wrote that there was an issue that was fixed in Jetty 6. RDC uses Jetty 7 so this issue is fixed.


Only POST and GET requests are supported by RDC.

There is a definite misunderstanding...... The PCI compliance run by 'SecurityMetrics' is run on the Jetty7 version. We thought that newer version of Jetty would fix the problem. We were wrong.... My question is can we fix the pci issue with your Jetty7 version?

Thanks

 

[Erel]

I'm not familiar with the PCI compliance process.

I've attached a modified version of rdc which throws an error when you send a TRACE request. Replace the existing one in the libs folder and try it.

 

[Ron Davey]

I'm not familiar with the PCI compliance process.

I've attached a modified version of rdc which throws an error when you send a TRACE request. Replace the existing one in the libs folder and try it.

Thanks .... This is the response I received after I installed the modified version.

"It appears the scan is not currently detecting any errors on the Andriod application! Thank you very much for your help in resolving that issue."

Maybe a good version to have around should anyone else run into PCI Compliance issues.

Again Thank you for your help