Microsoft Internet Information Server (IIS) fails to properly log HTTP TRACK requests

iis-improper-httptrack-logging (14077) The risk level is classified as MediumMedium Risk


Microsoft Internet Information Server (IIS) could allow a remote attacker to obtain sensitive information. Microsoft Internet Information Server (IIS) fails to properly log HTTP TRACK requests. By sending a specially-crafted HTTP TRACK request, a remote attacker could cause the server to disclose sensitive information without the request being logged.


Obtain Information


Upgrade to the latest version of Microsoft IIS (6.0 or later), available from the Microsoft Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.


  • AQTRONIX Security Advisory AQ-2003-02: Microsoft IIS Logging Failure.
  • Cisco Security Notice: Cisco Enterprise Content Delivery System Manager HTTP TRACK Vulnerability.
  • BID-33374: Microsoft IIS HTTP TRACK Method Information Disclosure Vulnerability
  • BID-9313: Microsoft IIS Failure To Log Undocumented TRACK Requests Vulnerability
  • CVE-2003-1566: Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection.
  • CVE-2003-1567: The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE.
  • OSVDB ID: 4864: Microsoft IIS TRACK Logging Failure
  • OSVDB ID: 5648: Multiple Web Server Dangerous HTTP Method TRACK
  • US-CERT VU#288308: Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method

Platforms Affected:

  • Cisco Enterprise Content Delivery System (ECDS)
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0


Dec 28, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page