Cisco Enterprise Content Delivery System Manager HTTP TRACK Vulnerability
2014-08-07T20:55:45
ID CISCO-SA-20140807-CVE-2003-1567 Type cisco Reporter Cisco Modified 2014-08-07T20:55:45
Description
A vulnerability in the HTTP TRACK/TRACE method of the Cisco Enterprise Content Delivery System (ECDS) could allow an unauthenticated, remote attacker read access to some information stored in the affected system.
The vulnerability is due to an affected web server. An attacker could exploit this vulnerability by using TRACK to read the content of the HTTP headers that are returned in the response.
Cisco has confirmed the vulnerability in a security notice and released software updates.
A successful exploit could allow an attacker to gain read access to sensitive information stored on a targeted system. The information could allow the attacker to conduct further attacks.
{"id": "CISCO-SA-20140807-CVE-2003-1567", "vendorId": null, "type": "cisco", "bulletinFamily": "software", "title": "Cisco Enterprise Content Delivery System Manager HTTP TRACK Vulnerability", "description": "A vulnerability in the HTTP TRACK/TRACE method of the Cisco Enterprise Content Delivery System (ECDS) could allow an unauthenticated, remote attacker read access to some information stored in the affected system.\n\nThe vulnerability is due to an affected web server. An attacker could exploit this vulnerability by using TRACK to read the content of the HTTP headers that are returned in the response.\n\nCisco has confirmed the vulnerability in a security notice and released software updates.\n\nA successful exploit could allow an attacker to gain read access to sensitive information stored on a targeted system. The information could allow the attacker to conduct further attacks.", "published": "2014-08-07T20:55:45", "modified": "2014-08-07T20:55:45", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140807-CVE-2003-1567", "reporter": "Cisco", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140807-CVE-2003-1567"], "cvelist": ["CVE-2003-1567"], "immutableFields": [], "lastseen": "2022-03-12T03:52:20", "viewCount": 10, "enchantments": {"score": {"value": 6.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:288308"]}, {"type": "cve", "idList": ["CVE-2003-1567"]}, {"type": "f5", "idList": ["SOL15904"]}, {"type": "nessus", "idList": ["XST_HTTP_TRACE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:11213", "OPENVAS:136141256231011213"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:1C6EAE3D0C10C1B56BD63325DEB012A1"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2003-1567"]}, {"type": "f5", "idList": ["SOL15904"]}, {"type": "nessus", "idList": ["XST_HTTP_TRACE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:11213"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:1C6EAE3D0C10C1B56BD63325DEB012A1"]}]}, "exploitation": null, "vulnersScore": 6.2}, "_state": {"dependencies": 1647589307, "score": 0}, "_internal": {}, "affectedSoftware": [{"version": "any", "operator": "eq", "name": "cisco enterprise content delivery system (ecds)"}, {"version": "any", "operator": "eq", "name": "cisco enterprise content delivery system (ecds)"}], "vendorCvss": {"score": "5.8", "severity": "medium"}}
{"cve": [{"lastseen": "2022-03-23T12:01:39", "description": "The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE.", "cvss3": {}, "published": "2009-01-15T00:30:00", "type": "cve", "title": "CVE-2003-1567", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-1567"], "modified": "2009-01-16T05:00:00", "cpe": ["cpe:/a:microsoft:internet_information_services:5.0"], "id": "CVE-2003-1567", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1567", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*"]}], "cert": [{"lastseen": "2021-09-28T17:53:17", "description": "### Overview\n\nMicrosoft Internet Information Server (IIS) servers support a HTTP method called TRACK. The HTTP TRACK method returns the contents of client HTTP requests in the entity-body of the TRACK response. This behavior could be leveraged by attackers to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request.\n\n### Description\n\nMicrosoft IIS servers support the HTTP TRACK method. The HTTP TRACK method asks a web server to echo the contents of the request back to the client for debugging purposes. The TRACK request is not RFC compliant and not well documented.\n\nThe complete request, including HTTP headers, is returned in the entity-body of a TRACK response. This leads to a Cross-site Scripting attack. Using features that provide client-side HTTP protocol support, such as [XMLHTTP](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk/htm/xml_obj_ixmlhttprequest_8bp0.asp>) ActiveX or XMLDOM scripting objects, a web site can cause browsers to issue TRACK requests. The site can read the TRACK response, including sensitive header information such as cookies or authentication data. \n \nBecause the TRACK method is similar to the TRACE method, when combined with cross-domain browser vulnerabilities ([VU#244729](<http://www.kb.cert.org/vuls/id/244729>), [VU#711843](<http://www.kb.cert.org/vuls/id/711843>), [VU#728563](<http://www.kb.cert.org/vuls/id/728563>)), HTTP TRACK and client-side HTTP support can be leveraged by attackers to read sensitive header information from third-party domains. This technique has been termed \"Cross-Site Tracing,\" or XST, in a [report](<http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf>) published by WhiteHat Security. As noted in the report, the technique can be used to bypass the [HttpOnly](<http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp>) cookie attribute introduced in Microsoft Internet Explorer 6.0 SP1. HttpOnly blocks script access to the [cookie](<http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/cookie.asp>) property (document.cookie), but does not prevent a scripting object from reading the cookie out of an HTTP TRACK response. \n \nIIS 6 is reported to be not vulnerable. \n \n--- \n \n### Impact\n\nAttackers may abuse HTTP TRACK functionality to gain access to information in HTTP headers such as cookies and authentication data. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACK method. \n \n--- \n \n### Solution\n\nMicrosoft IIS 6 is reported to be not vulnerable. The TRACK method can be added to Microsoft's URLScan DenyVerbs section. It should not be in the AllowVerbs section in the urlscan.ini file. \n \n--- \n \n### Vendor Information\n\n288308\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: January 05, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIIS 6 is reported as not vulnerable.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288308 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- \nTemporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) \nEnvironmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) \n \n \n\n\n### References\n\n * <http://www.microsoft.com>\n * <http://www.aqtronix.com/Advisories/AQ-2003-02.txt>\n\n### Acknowledgements\n\nThanks to Parcifal Aertssen for reporting this vulnerability.\n\nThis document was written by Jason A Rafail and Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-1567](<http://web.nvd.nist.gov/vuln/detail/CVE-2003-1567>) \n---|--- \n**Date Public:** | 2003-12-28 \n**Date First Published:** | 2004-01-05 \n**Date Last Updated: ** | 2004-01-09 19:06 UTC \n**Document Revision: ** | 12 \n", "cvss3": {}, "published": "2004-01-05T00:00:00", "type": "cert", "title": "Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-1567"], "modified": "2004-01-09T19:06:00", "id": "VU:288308", "href": "https://www.kb.cert.org/vuls/id/288308", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-02T21:10:06", "description": "Debugging functions are enabled on the remote HTTP server.\n\nThe remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK\nare HTTP methods which are used to debug web server connections. \n\nIt has been shown that servers supporting this method are subject to\ncross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when\nused in conjunction with various weaknesses in browsers. \n\nAn attacker may use this flaw to trick your legitimate web users to give\nhim their credentials.", "cvss3": {}, "published": "2005-11-03T00:00:00", "type": "openvas", "title": "http TRACE XSS attack", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2003-1567", "CVE-2004-2320"], "modified": "2017-05-03T00:00:00", "id": "OPENVAS:11213", "href": "http://plugins.openvas.org/nasl.php?oid=11213", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: xst_http_trace.nasl 6063 2017-05-03 09:03:05Z teissa $\n# Description: http TRACE XSS attack\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n# Improvements re TRACK and RFP reference courtesy of <sullo@cirt.net>\n# Improvements by rd - http_get() to get full HTTP/1.1 support, \n# security _warning() instead of security _hole(), slight re-phrasing\n# of the description\n# Fixes by Tenable:\n# - added CVE xref.\n#\n# Copyright:\n# Copyright (C) 2003 E-Soft Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_id(11213);\n script_version(\"$Revision: 6063 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-03 11:03:05 +0200 (Wed, 03 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"http TRACE XSS attack\");\n script_cve_id(\"CVE-2004-2320\",\"CVE-2003-1567\");\n script_bugtraq_id(9506, 9561, 11604);\n \n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2003 E-Soft Inc.\");\n script_family(\"Web application abuses\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"summary\" , value :\n\"Debugging functions are enabled on the remote HTTP server.\n\nThe remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK\nare HTTP methods which are used to debug web server connections. \n\nIt has been shown that servers supporting this method are subject to\ncross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when\nused in conjunction with various weaknesses in browsers. \n\nAn attacker may use this flaw to trick your legitimate web users to give\nhim their credentials.\");\n\n script_tag(name : \"solution\" , value : \"Disable these methods.\");\n\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/867593\");\n exit(0);\n}\n\n\nsol[\"apache\"] = \"\nSolution: \nAdd the following lines for each virtual host in your configuration file :\n\n RewriteEngine on\n RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)\n RewriteRule .* - [F]\n\nSee also http://httpd.apache.org/docs/current/de/mod/core.html#traceenable \n\";\n\nsol[\"iis\"] = \"\nSolution: Use the URLScan tool to deny HTTP TRACE requests or to permit only the methods \nneeded to meet site requirements and policy.\";\n\nsol[\"SunONE\"] = '\nSolution: Add the following to the default object section in obj.conf:\n <Client method=\"TRACE\">\n AuthTrans fn=\"set-variable\"\n remove-headers=\"transfer-encoding\"\n set-headers=\"content-length: -1\"\n error=\"501\"\n </Client>\n\nIf you are using Sun ONE Web Server releases 6.0 SP2 or below, compile\nthe NSAPI plugin located at:\n http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603';\n\n\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif (! get_port_state(port)) exit(0);\n\nbanner = get_http_banner(port:port);\nif ( ! banner ) exit(0);\n\n\nif ( egrep(pattern:\"^Server:.*IIS\", string:banner) ) report = sol[\"iis\"];\nelse if ( egrep(pattern:\"^Server:.*Apache\", string:banner) ) report = sol[\"apache\"];\nelse if ( egrep(pattern:\"^Server.*SunONE\", string:banner) ) report = sol[\"SunONE\"];\n\nfile = \"/OpenVAS\"+rand() + \".html\";\t# Does not exist\n\n cmd1 = http_get(item: file, port:port);\n cmd2 = cmd1;\n \n cmd1 = ereg_replace(pattern:\"GET /\", string:cmd1, replace:\"TRACE /\");\n cmd2 = ereg_replace(pattern:\"GET /\", string:cmd2, replace:\"TRACK /\");\n\n ua = egrep(pattern:\"^User-Agent\", string:cmd1);\n \n reply = http_keepalive_send_recv(port:port, data:cmd1, bodyonly:TRUE);\n if ( reply == NULL ) exit(0);\n if(egrep(pattern:\"^TRACE \"+file+\" HTTP/1\\.\", string:reply))\n {\n\tif ( ua && ua >!< reply ) exit(0);\n\tsecurity_message(port:port, data:report);\n\texit(0);\n }\n \n reply = http_keepalive_send_recv(port:port, data:cmd2, bodyonly:TRUE);\n if(egrep(pattern:\"^TRACK \"+file+\" HTTP/1\\.\", string:reply))\n {\n if ( ua && ua >!< reply ) exit(0);\n\n security_message(port:port, data:report);\n }\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-05-08T08:39:53", "description": "Debugging functions are enabled on the remote web server.\n\n The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK\n are HTTP methods which are used to debug web server connections.", "cvss3": {}, "published": "2005-11-03T00:00:00", "type": "openvas", "title": "HTTP Debugging Methods (TRACE/TRACK) Enabled", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2223", "CVE-2004-2763", "CVE-2005-3398", "CVE-2007-3008", "CVE-2010-0386", "CVE-2006-4683", "CVE-2014-7883", "CVE-2009-2823", "CVE-2003-1567", "CVE-2004-2320", "CVE-2008-7253"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:136141256231011213", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011213", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HTTP Debugging Methods (TRACE/TRACK) Enabled\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (C) 2003 E-Soft Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11213\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"HTTP Debugging Methods (TRACE/TRACK) Enabled\");\n script_cve_id(\"CVE-2003-1567\", \"CVE-2004-2320\", \"CVE-2004-2763\", \"CVE-2005-3398\", \"CVE-2006-4683\",\n \"CVE-2007-3008\", \"CVE-2008-7253\", \"CVE-2009-2823\", \"CVE-2010-0386\", \"CVE-2012-2223\",\n \"CVE-2014-7883\");\n script_bugtraq_id(9506, 9561, 11604, 15222, 19915, 24456, 33374, 36956, 36990, 37995);\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2003 E-Soft Inc.\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/288308\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/867593\");\n script_xref(name:\"URL\", value:\"http://httpd.apache.org/docs/current/de/mod/core.html#traceenable\");\n script_xref(name:\"URL\", value:\"https://www.owasp.org/index.php/Cross_Site_Tracing\");\n\n script_tag(name:\"summary\", value:\"Debugging functions are enabled on the remote web server.\n\n The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK\n are HTTP methods which are used to debug web server connections.\");\n\n script_tag(name:\"insight\", value:\"It has been shown that web servers supporting this methods are\n subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in\n conjunction with various weaknesses in browsers.\");\n\n script_tag(name:\"impact\", value:\"An attacker may use this flaw to trick your legitimate web users to give\n him their credentials.\");\n\n script_tag(name:\"affected\", value:\"Web servers with enabled TRACE and/or TRACK methods.\");\n\n script_tag(name:\"solution\", value:\"Disable the TRACE and TRACK methods in your web server configuration.\n\n Please see the manual of your web server or the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port( default:80 );\nbanner = http_get_remote_headers( port:port );\nif( ! banner ) exit( 0 );\n\nvt_strings = get_vt_strings();\n\nreport = \"The web server has the following HTTP methods enabled:\";\nfile = \"/\" + vt_strings[\"lowercase_rand\"] + \".html\"; # Does not exist\ncmd1 = http_get( item:file, port:port );\ncmd2 = cmd1;\ncmd1 = ereg_replace( pattern:\"GET /\", string:cmd1, replace:\"TRACE /\" );\ncmd2 = ereg_replace( pattern:\"GET /\", string:cmd2, replace:\"TRACK /\" );\nua = egrep( pattern:\"^User-Agent\", string:cmd1 );\n\nres = http_keepalive_send_recv( port:port, data:cmd1, bodyonly:TRUE );\nif( res ) {\n if( egrep( pattern:\"^TRACE \" + file + \" HTTP/1\\.\", string:res ) ) {\n if( ! ua || ( ua && ua >< res ) ) {\n VULN = TRUE;\n report += \" TRACE\";\n expert_info += 'Request:\\n' + cmd1;\n expert_info += 'Response (Body):\\n' + res;\n }\n }\n}\n\nres = http_keepalive_send_recv( port:port, data:cmd2, bodyonly:TRUE );\nif( res ) {\n if( egrep( pattern:\"^TRACK \" + file + \" HTTP/1\\.\", string:res ) ) {\n if( ! ua || ( ua && ua >< res ) ) {\n VULN = TRUE;\n report += \" TRACK\";\n expert_info += 'Request:\\n' + cmd2;\n expert_info += 'Response (Body):\\n' + res;\n }\n }\n}\n\nif( VULN ) {\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2021-08-19T13:20:38", "description": "The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2003-01-23T00:00:00", "type": "nessus", "title": "HTTP TRACE / TRACK Methods Allowed", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2003-1567", "CVE-2004-2320", "CVE-2010-0386"], "modified": "2020-06-12T00:00:00", "cpe": [], "id": "XST_HTTP_TRACE.NASL", "href": "https://www.tenable.com/plugins/nessus/11213", "sourceData": "#\n# This script was written by Thomas Reinke <reinke@securityspace.com>\n# Improvements re TRACK and RFP reference courtesy of <sullo@cirt.net>\n# Improvements by rd - http_get() to get full HTTP/1.1 support,\n# security_warning() instead of security_hole(), slight re-phrasing\n# of the description\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - added solution in the plugin output for JSAS9 (3/29/13)\n# - added CVE xref.\n# - title update (9/18/09)\n# - updated CVSS score (12/14/2015)\n# - Added note when TRACE/TRACK is enabled but reply is empty, added CVSSv3 score. (26/11/2018)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11213);\n script_version(\"1.73\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2003-1567\", \"CVE-2004-2320\", \"CVE-2010-0386\");\n script_bugtraq_id(9506, 9561, 11604, 33374, 37995);\n script_xref(name:\"CERT\", value:\"288308\");\n script_xref(name:\"CERT\", value:\"867593\");\n\n script_name(english:\"HTTP TRACE / TRACK Methods Allowed\");\n script_summary(english:\"Test for TRACE / TRACK Methods.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Debugging functions are enabled on the remote web server.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server supports the TRACE and/or TRACK methods. TRACE\nand TRACK are HTTP methods that are used to debug web server\nconnections.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apacheweek.com/issues/03-01-24\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.oracle.com/sunalerts/1000718.1.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable these HTTP methods. Refer to the plugin output for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2004-2320\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Tenable believes the XST vulnerability only affects Confidentiality, not Integrity (reflected in NVD's score for CVE-2010-0386)\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(16, 200);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2020 E-Soft Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\nsol[\"apache\"] = \"\nTo disable these methods, add the following lines for each virtual\nhost in your configuration file :\n\n RewriteEngine on\n RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)\n RewriteRule .* - [F]\n\nAlternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2\nsupport disabling the TRACE method natively via the 'TraceEnable'\ndirective.\n\";\n\nsol[\"iis\"] = \"\nUse the URLScan tool to deny HTTP TRACE requests or to permit only the\nmethods needed to meet site requirements and policy.\n\";\n\nsol[\"SunONE\"] = '\nTo disable this method, add the following to the default object\nsection in obj.conf :\n\n <Client method=\"TRACE\">\n AuthTrans fn=\"set-variable\"\n remove-headers=\"transfer-encoding\"\n set-headers=\"content-length: -1\"\n error=\"501\"\n </Client>\n\nIf you are using Sun ONE Web Server releases 6.0 SP2 or below, compile\nthe NSAPI plugin located at :\n\nhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603\n';\n\nsol[\"Sun_JSAS7\"] = '\nTo disable this method, add the following to the top of the default\nobject in <server-instance>-obj.conf :\n\n <Client method=\"TRACE\">\n AuthTrans fn=\"set-variable\" remove-headers=\"transfer-encoding\"\n set-headers=\"content-length: -1\" error=\"501\"\n </Client>\n\nand restart the Application server.\n';\n\n# this fix also works for JSAS 8 (tested against 8.2) even though it's undocumented for that version.\n# unfortunately version 8 doesn't explicitly report its version in the server header\nsol[\"Sun_JSAS9\"] = '\nTo disable this method, edit domain.xml, adding the \"traceEnabled\"\nproperty (set to \"false\") to the end of the http-service element :\n\n <property name=\"traceEnabled\" value=\"false\"/>\n </http-service>\n\nand restart the application server. Refer to the JSAS 9 Administrator\nReference for more information :\n\nhttp://docs.oracle.com/cd/E19501-01/819-3661/auto126/index.html\n';\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nnote = \"\";\n\nport = get_http_port(default:80, embedded:TRUE);\n\nif (! get_port_state(port)) exit(0, 'Port ' + port + ' is not open.');\n\nbanner = get_http_banner(port:port);\nif ( ! banner ) exit(1, 'Unable to get the web server banner on port ' + port + '.');\n\nif ( egrep(pattern:\"^Server:.*IIS\", string:banner) ) report = sol[\"iis\"];\nelse if ( egrep(pattern:\"^Server:.*Apache\", string:banner) ) report = sol[\"apache\"];\nelse if ( egrep(pattern:\"^Server.*SunONE\", string:banner) ) report = sol[\"SunONE\"];\nelse if ( egrep(pattern:\"^Server.*Sun-Java-System-Application-Server/7\", string:banner) ) report = sol[\"Sun_JSAS7\"];\nelse if ( egrep(pattern:\"^Server.*Sun Java System Application Server (Platform Edition )?9\", string:banner) ) report = sol[\"Sun_JSAS9\"];\n\nfile = \"/Nessus\"+rand() + \".html\";\t# Does not exist\n\n cmd1 = http_get(item: file, port:port);\n cmd2 = cmd1;\n \n cmd1 = ereg_replace(pattern:\"GET /\", string:cmd1, replace:\"TRACE /\");\n cmd2 = ereg_replace(pattern:\"GET /\", string:cmd2, replace:\"TRACK /\");\n\n ua = egrep(pattern:\"^User-Agent\", string:cmd1, icase:TRUE);\n \n reply = http_keepalive_send_recv(port:port, data:cmd1, bodyonly:FALSE);\n if ( reply == NULL ) exit(0, 'The host is not affected on port ' + port + '.');\n if ( ereg(pattern:\"^HTTP/.* 200 \", string:reply) )\n {\n r = strstr(reply, '\\r\\n\\r\\n');\n if (! r ) r = strstr(reply, '\\n\\n');\n full_reply = reply;\n reply = r;\n if(egrep(pattern:\"^TRACE \"+file+\" HTTP/1\\.\", string:reply))\n {\n\tif ( ua && tolower(ua) >!< tolower(reply) ) exit(0, 'The host is not affected on port ' + port + '.');\n report += string(\n '\\n',\n \"Nessus sent the following TRACE request : \\n\",\n \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n str_replace(find:'\\r\\n', replace:'\\n', string:cmd1),\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n \"\\n\",\n \"and received the following response from the remote server :\\n\",\n \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n str_replace(find:'\\r\\n', replace:'\\n', string:full_reply),\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\"\n );\n\tsecurity_warning(port:port, extra:report);\n\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n\texit(0);\n }\n else\n {\n note += '\\n\\nAlthough TRACE is enabled on the remote web server, the server\\n' +\n 'replies with an empty response, which prevents XST (cross-site\\n' +\n 'tracing).';\n }\n }\n\n reply = http_keepalive_send_recv(port:port, data:cmd2, bodyonly:FALSE);\n if ( ereg(pattern:\"^HTTP/.* 200 \", string:reply) )\n {\n r = strstr(reply, '\\r\\n\\r\\n');\n if (! r ) r = strstr(reply, '\\n\\n');\n full_reply = reply;\n reply = r;\n if(egrep(pattern:\"^TRACK \"+file+\" HTTP/1\\.\", string:reply))\n {\n if ( ua && tolower(ua) >!< tolower(reply) ) exit(0, 'The host is not affected on port ' + port + '.');\n\n report += string(\n '\\n',\n \"Nessus sent the following TRACK request : \\n\",\n \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n str_replace(find:'\\r\\n', replace:'\\n', string:cmd2),\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n \"\\n\",\n \"and received the following response from the remote server :\\n\",\n \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n str_replace(find:'\\r\\n', replace:'\\n', string:full_reply),\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\"\n );\n security_warning(port:port, extra:report);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n }\n else\n {\n note += '\\n\\nAlthough TRACK is enabled on the remote web server, the server\\n' +\n 'replies with an empty response, which prevents XST (cross-site\\n' +\n 'tracing).';\n }\n }\nexit(0, 'The host is not affected on port ' + port + '.' + note);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2016-11-09T00:09:57", "description": "Recommended action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {}, "published": "2014-12-11T00:00:00", "type": "f5", "title": "SOL15904 - Multiple third-party application-server vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2763", "CVE-2005-3398", "CVE-2007-3008", "CVE-2010-0386", "CVE-2003-1567", "CVE-2004-2320", "CVE-2003-1418"], "modified": "2014-12-11T00:00:00", "id": "SOL15904", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/900/sol15904.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "pentestpartners": [{"lastseen": "2022-01-25T10:27:15", "description": "\n\nThis is the first of my posts that explain why some common security vulnerabilities are most likely **not** real threats. They should be treated as security enhancements rather than vulnerabilities. Bearing in mind the number of scanning tools that rate such vulnerabilities as "high" it's no wonder people make the mistake of reporting them. It's also a reminder to mistrust the output from something until you've verified it.\n\nI'm going to start with the not-a-vulnerability mother of them all, the HTTP TRACE (and TRACK) method. Something that could lead to an attack called Cross Site-Tracing (XST). In 20 years I have never seen a real-world exploit for it.\n\n### What is it?\n\nHTTP TRACE is a debug method that is the HTTP equivalent of the echo service: it will basically reflect back in the response what is in the request. This is relatively boring. Where it got interesting was that when the vulnerability was released (in 2003) most web servers reflected the value of the request headers back. So back in 2003, it was potentially possible to gain session cookies if the method was available. This attack was found by [Jeremiah Grossman and named XST](<https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf>) (link opens a PDF).\n\nTRACK is a Microsoft only variant of TRACE which pretty much does the same thing.\n\nHere\u2019s an example of an HTTP request and response against an Apache server:\n\n\n\n### Why is this not a vulnerability?\n\nThe landscape of web browser security has changed significantly since 2003, The exploit shown in the original paper was designed for use with Internet Explorer and explicitly uses the ActiveX Microsoft.XMLHTTP object to call the TRACE method. IE is, of course deprecated and the ActiveX object's use was deprecated in IE 7.\n\nLet\u2019s look at it from a modern perspective. As it comes under cross-site attacks, we need to execute it in an environment that a user is using so we can discover their cookies, similar to CSRF or CORS based attacks.\n\n### From the Server perspective\n\nWe also need a web server that supports the TRACE method. The TRACE method is optional, so a HTTP server does not need to support it to be conformant. A quick survey of the most common web servers shows:\n\n * Apache HTTP supports TRACE without a request body. This is enabled by default and can be controlled with the TraceEnable directive\n * NGinx will always return a 405 Method not Allowed\n * IIS from version 6 and onwards disables it by default (except for 8.5 for some weird reason)\n\nThe Apache case is interesting, there\u2019s even a little passive aggressive note in the [documentation](<https://httpd.apache.org/docs/2.4/mod/core.html#traceenable>) about this:\n\n\n\nThat\u2019s quite a confident claim from Apache!\n\n### From the Client perspective\n\nThe thing to bear in mind with XST is that it is a client attack. It employs the user\u2019s session and user-agent to perform the attack for it. It\u2019s a very early cross-site attack along the same line as CSRF, Flash CrossDomain access and CORS attacks.\n\nThis means that we need the user-agent, i.e. the web browser to allow the use of the TRACE request and some mechanism of calling it.\n\nTo access a URL from JavaScript the usual methods are XMLHTTPRequest (XHR) or the more modern fetch() API. Similar solutions such as jQuery generally use XHR or fetch().\n\nSo can we use these, let\u2019s try XHR in Chrome, using the magic F12 hacking tool:\n\n\n\nOops, Chrome blocks the TRACE method, As Microsoft browsers caused the problem in the past, how about Edge?\n\n\n\nSo we can make a guess that all Chromium based browsers will be similar, so how about Firefox?\n\n\n\nNope. So that covers the main browsers. I don\u2019t have Safari installed but I suspect there will be no difference. How about Internet Explorer (on Windows 10)?\n\n\n\nSo, from a modern Windows 10 device none of the common browsers can even make a call to the TRACE method. Once again, I\u2019ll state that as XST is in the class of cross-site exploits it **needs** to be exploited from the user-agent against a valid session.\n\nThe other thing to bear in mind, that in the current state of play any cross-site requests will need a valid CORS policy in place. All this is making it strangely hard to exploit anything.\n\n### What about other programs?\n\nSo, I only went through web browsers; but what about other programs. Here we have similar restrictions.\n\nAir, Flash, Silverlight, Unity 3D all have restriction methods, and again, all exploits are user-agent based, By transferring to a program inside the browser you lose access to the session information.\n\nThere is a potential that a malicious plugin could have an effect, However, if you have a malicious plugin installed then there are routes which are a lot easier and more flexible to extract information.\n\n### Historical vulnerabilities\n\nA quick search through the CVE database doesn\u2019t reveal much for this vulnerability. There are few enough CVEs that they can all be listed here:\n\n * CVE-2003-1567 \u2013 highlights the TRACK method in IIS which does the same as TRACE\n * CVE-2004-2320 \u2013TRACE is enabled on WebLogic Server\n * CVE-2004-2763 \u2013TRACE is enabled on Sun ONE/iPlanet Web Server\n * CVE-2005-3398 \u2013TRACE is enabled on Solaris Management Console\n * CVE-2007-3008 \u2013TRACE is enabled on AppWeb\n * CVE-2008-7253 \u2013TRACE is enabled in Lotus Domino Server\n * CVE-2009-2823 \u2013TRACE is enabled in Apache httpd on Mac OS X\n * CVE-2010-0360 \u2013 **this is the only real vulnerability that I\u2019ve found** \u2013 there\u2019s a heap overflow in the TRACE method in Java System Web Server 7.0 Update 7 which could return undisclosed data\n * CVE-2010-0386 \u2013TRACE is enabled on Java System Application Server\n * CVE-2018-2502 \u2013TRACE is enabled on SAP Business One Service Layer\n * CVE-2018-11039 \u2013TRACE is enabled on Spring Framework\n\nAll but one of these are just highlighting the existence of TRACE (or TRACK). The only real exploit (CVE-2010-0360) is over a decade old, for a product that is no longer supported. It looks like the heap overflow can also be exploited through all methods, so, even with this TRACE adds little extra risk, and only another possible vector.\n\n### Conclusion\n\nLet\u2019s put this one to bed. It\u2019s been 20 years since it was identified. It has been neutered on the server **and** on the client so it would be far more difficult to exploit than any other form of attack on an equivalent system.\n\nRealistically, if it is in a pen test report, then it should only be informational to demonstrate that sufficient hardening hasn't been done.\n\nIt is good practice to disable anything you\u2019re not using, and you certainly don\u2019t lose any capabilities by disabling the TRACE method. I would much rather that efforts were spent fixing real vulnerabilities, rather than wasting time on facilities that have no exploit path.\n\nThe post [Security Blog](<https://www.pentestpartners.com/security-blog/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2022-01-25T06:08:46", "type": "pentestpartners", "title": "Vulnerabilities that aren\u2019t. Cross Site Tracing / XST", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-1567", "CVE-2004-2320", "CVE-2004-2763", "CVE-2005-3398", "CVE-2007-3008", "CVE-2008-7253", "CVE-2009-2823", "CVE-2010-0360", "CVE-2010-0386", "CVE-2018-11039", "CVE-2018-2502"], "modified": "2022-01-25T06:08:46", "id": "PENTESTPARTNERS:1C6EAE3D0C10C1B56BD63325DEB012A1", "href": "https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-cross-site-tracing-xst/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
