Multiple vendor Web servers HTTP TRACE method information disclosure
| http-trace-information-disclosure (11149) |  Medium Risk |
Description:
Multiple vendor Web servers, including Microsoft Internet Information Services (IIS) and Apache HTTP Server, could allow a remote attacker to obtain sensitive configuration about the Web server using the HTTP TRACE method. The HTTP TRACE method as described in RFC 2616 of the HTTP 1.1 standard is typically used for debugging and network analysis purposes to request the contents of HTTP request messages received by the Web server. On Web servers with HTTP TRACE support enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities to obtain sensitive information about the Web server, including server cookies and authentication information. This information could then be used by the attacker to launch further attacks against the affected Web server.
Platforms Affected:
- Apache, HTTP Server
- Microsoft, IIS
- Sun, Java Application Server 7 2004Q2
- Sun, ONE Web Server 4.1
- Sun, ONE Web Server 6.0
- Sun, ONE Web Server 6.1
Remedy:
For HP-UX:
Follow the recommendation, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0309-279. See References.
As a workaround, disable HTTP TRACE support on your Web server. HTTP TRACE support can be disabled on Apache HTTP Server using the mod_rewrite module and on Microsoft Internet Information Services (IIS) using the URLScan tool.
For Sun ONE/iPlanet Web Server:
Apply the appropriate patch for your system, as listed in Sun Alert ID: 50603 for more information. See References.
For Sun Java System Application Server:
Apply the appropriate patch for your system, as listed in Sun Alert ID: 57670. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Obtain Information
References:
- Apache HTTP Server Project Web site, Apache module mod_rewrite at http://httpd.apache.org/docs/mod/mod_rewrite.html.
- BugTraq Mailing List, Wed Jan 22 2003 - 14:32:58 CST , TRACE used to increase the dangerous of XSS. at http://archives.neohapsis.com/archives/bugtraq/2003-01/0230.html.
- Microsoft Corporation Web site, Urlscan Security Tool at http://www.microsoft.com/technet/security/tools/urlscan.mspx.
- Request for Comment document RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1 at http://www.ietf.org/rfc/rfc2616.txt.
- Sun Alert ID: 50603, Sun ONE/iPlanet Web Server Enable HTTP TRACE Method by Default to Emulate the CERT VU at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603&zone_32=category%3Asecurity.
- Sun Alert ID: 50603, Sun ONE/iPlanet Web Server Enable HTTP TRACE Method by Default at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603&zone_32=category%3Asecurity.
- Sun Alert ID: 57670, Security Vulnerability With The HTTP TRACE Functionality in Sun Java System Application Server at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57670-1&searchclause=.
- Whitehat Security White Paper, Cross-Site Tracing (XST) at http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf.
- BID-11604: Sun Java System Application Server HTTP TRACE Information Disclosure Vulnerability
- BID-9506: WebLogic Server and Express HTTP TRACE Credential Theft Vulnerability
- BID-9561: Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulnerability
Reported:
Jan 20, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net