RFC compliant web servers support the TRACE HTTP method, which contains a flaw that may lead to an unauthorized information disclosure. The TRACE method is used to debug web server connections and allows the client to see what is being received at the other end of the request chain. Enabled by default in all major web servers, a remote attacker may abuse the HTTP TRACE functionality, i.e. cross-site scripting (XSS), which will disclose sensitive configuration information resulting in a loss of confidentiality.

If the TRACE method is not essential for your site, disable it in the web server configuration. Consult your documentation or vendor for detailed instructions on how to accomplish this.

• Security Tracker: 1015112 1015134 102016
• ISS X-Force ID: 11149 11237
• Bugtraq ID: 11604 9506 9561
• Secunia Advisory ID: 17334 21802
• SCIP VulDB ID: 1842
• CVE ID: 2005-3398 (see also: NVD) 2005-3498 (see also: NVD)
• Related OSVDB ID: 3726 5648
• CERT VU: 867593
• Vendor Specific Advisory URL: ftp://ftp.software.ibm.com/pc/pccbbs/pc_servers_pdf/dir5.10_docs_relnotes.pdf http://sunsolve.sun.com/search/document.do?assetkey=1-26-102016-1
• Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
• Other Advisory URL: http://en.wikipedia.org/wiki/Cross-site_tracing
  http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
  http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
• Vendor URL: http://www-03.ibm.com/servers/eserver/xseries/systems_management/ibm_director/resources/index.html

• WhiteHat Security, Inc. - WhiteHat Security, Inc.