A malicious web site could cause arbitrary commands to run
on a client through a specially crafted link to the vulnerable server.
Background
Many web servers support the TRACE request
method, which causes the server to simply echo an
HTTP request back to the client unchanged.
The Problem
By sending a TRACE request containing SCRIPT
tags to a web server, it is possible to
cause the web server to return a page containing arbitrary commands
which are run by the client. While it is unlikely that
a user would deliberately send a request which would cause
this to happen, a user could be tricked into doing so by
following a specially-crafted link on another web server.
This vulnerability is known as cross-site tracing,
which is a variant of the well-known cross-site
scripting vulnerability.
A web server which is vulnerable to cross-site tracing
could be exploited by a malicious web site to trick an
unsuspecting user into executing arbitrary commands on
his or her own computer.
Resolution
Cross-site tracing can be fixed by disabling the
TRACE request method. If this is not an
option for your web server, install a vendor fix or
use one of the following workarounds:
Microsoft IIS: Use
URL Scan to filter both
TRACE and TRACK requests.
Apache: Enable the mod_rewrite
module, and add the following lines to the configuration
file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
iPlanet: Disabling the TRACE
request method currently requires making a change to a
shared object library. See the
White Paper for details.
