Enable HTTP TRACE method

Http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/zh_CN/HTML/am51_webseal_guide32.htm

RFC 2616 for HTTP defines the TRACE method as follows, "This method is used to invoke the remote, application-layer loopback (loopback) of the requested message." The requesting receiver is a gateway to the source server or the first proxy or 0 (0) max-forwards value in the receive request. ”

The hacker has used the TRACE method to implement security attacks on the WEB server. To provide optimized security, WebSEAL blocks all requested TRACE methods to reach the WebSEAL server by default.

You can enable the TRACE method (disable blocking) by setting two entries in the WebSEAL configuration file.

To enable the TRACE method for a local response, set the following entry:

[Server]
http-method-trace-enabled = yes

To enable the TRACE method for the response of a join, set the following entry:

[Server]
Http-method-trace-enabled-remote = yes

The default WebSEAL configuration file does not set any values for these profile entries. The default behavior of WebSEAL, even when no profile entry is specified, blocks all TRACE methods.

===http://www.pc51.net/server/web/apache/2006-12-21/294.html

Your webserver support for trace and/or TRACK methods. Trace and track are the HTTP methods used to debug Web server connections.

There are cross-site scripting vulnerabilities in servers that support this approach, and "cross-site-tracing" is often referred to as XST when describing various browser flaws.

Attackers can exploit this vulnerability to deceive legitimate users and get their private information.

Solution: Disable these methods.


If you are using Apache, add the following statement to each virtual host's configuration file:

Rewriteengine on
Rewritecond%{request_method} ^ (trace| TRACK)
Rewriterule. *-[F]

If you are using Microsoft IIS, disable the HTTP trace request using the URLScan tool, or only open the way to meet site requirements and policies.

If you are using the Sun one Web Server releases 6.0 SP2 or a higher version, add the following statement to the default object section of the obj.conf file:
<client method= "TRACE" >
Authtrans fn= "Set-variable"
Remove-headers= "Transfer-encoding"
Set-headers= "Content-length:-1"
Error= "501"
</Client>

If you are using the Sun one Web Server releases 6.0 SP2 or a lower version, compile the NSAPI plug-in for the following address:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603


See Http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
Http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593

Risk Rating: Medium
___________________________________________________________________


The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
Are HTTP methods which are used to debug Web server connections.

It has been shown that servers supporting this method are subject
To cross-site-scripting attacks, dubbed XST for
"Cross-site-tracing", when used into conjunction with
Various weaknesses in browsers.

An attacker I/flaw to trick your legitimate Web users to
Give him their credentials.


Solution:
Add the following lines for each virtual host in your configuration file:

Rewriteengine on
Rewritecond%{request_method} ^ (trace| TRACK)
Rewriterule. *-[F]


Also http://www.kb.cert.org/vuls/id/867593
Risk Factor:medium
bugtraq_id:9506, 9561, 11604
nessus_id:11213

Empire cms,phome.net