How to prevent cross-site http trace attacks

What is a cross-site attack? When webserver supports TRACE and/or TRACK. TRACE and TRACK are the HTTP methods used to debug Web server connections. The server that supports this method has a Cross-Site scripting vulnerability. When describing various browser defects, the Cross-Site-Tracing vulnerability is referred to as XST. Attackers can exploit this vulnerability to fool legitimate users and obtain their personal information.
 
 
Solution: disable these methods.
 
If you are using Apache, add the following statement to the configuration file of each Virtual Host:
 
RewriteEngine on
 
RewriteCond % {REQUEST_METHOD} ^ (TRACE | TRACK)
 
RewriteRule. *-[F]
 
If you are using Microsoft IIS, use URLScan to disable http trace requests, or only enable methods that meet site requirements and policies.
 
If you are using Sun ONE Web Server releases 6.0 SP2 or later, add the following statement to the default object section of the obj. conf file:
 
<Client method = "TRACE">
 
AuthTrans fn = "set-variable"
 
Remove-headers = "transfer-encoding"
 
Set-headers = "content-length:-1"
 
Error = "501"
 
</Client>
 
If you are using Sun ONE Web Server releases 6.0 SP2 or a lower version, compile the NSAPI plug-in at the following address:
Http://sunsolve.sun.com/pub-cgi/retrieve.pl? Doc = fsalert % 2F50603
 
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
Http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Http://sunsolve.sun.com/pub-cgi/retrieve.pl? Doc = fsalert % 2F50603
 
Http://www.kb.cert.org/vuls/id/867593