HTTP OPTIONS method is supported in CLM applications
The web server replies to requests using the HTTP OPTIONS method. Usually, this method only serves for diagnostic purposes and returns the HTTP methods supported by the web server. As can be seen from the server response below, the underlying web or application server supports the following HTTP methods: GET, HEAD, POST, and OPTIONS.
An attacker can use the OPTIONS method to gather information and to adapt his further procedure.
curl -X OPTIONS -I -k https://192.168.1.4:9443/ccm/web/_js/dijit/
HTTP/1.1 200 OK Server: Apache-Coyote/1.1
Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET
Allow: GET, HEAD, POST, OPTIONS
Content-Length: 0
Date: Thu, 02 Jul 2015 13:29:04 GMT
Threat
An attacker can use the OPTIONS method to gather information and to adapt his further procedure.
2 answers
Some security people think that OPTIONS assist attackers by telling them which HTTP methods are supported, but it does seem you could just try the methods and see what errors come back.
Anyone can try the methods one by one to achieve the same result as an OPTIONS request. So if we do disable OPTIONS, we are slowing down but not preventing attackers.
Disabling OPTIONS will not make the product in any way safer, but it could cause other issues with the mechanics and work flow of CLM applications. Therefore it is not a plan to disable it.
Anyone can try the methods one by one to achieve the same result as an OPTIONS request. So if we do disable OPTIONS, we are slowing down but not preventing attackers.
Disabling OPTIONS will not make the product in any way safer, but it could cause other issues with the mechanics and work flow of CLM applications. Therefore it is not a plan to disable it.
