Mbedthis AppWeb HTTP TRACE Method XSS

2007-05-24T13:48:43
ID OSVDB:35511
Type osvdb
Reporter Michael O'Brien(<mob@mbedthis.com>:)
Modified 2007-05-24T13:48:43

Description

Vulnerability Description

appweb contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using request with HTTP TRACE method in conjonction with certain browsers, which will disclose users's cookies or authentication data information resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.2.2 or higher, as it has been reported to fix this vulnerability.(TRACE method is disabled by default) Additionally, implementing the following change: set the 'TraceMethod' option to 'off' in appweb.conf.

Short Description

appweb contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when using request with HTTP TRACE method in conjonction with certain browsers, which will disclose users's cookies or authentication data information resulting in a loss of confidentiality.

References:

Vendor Specific News/Changelog Entry: http://www.mbedthis.com/products/appWeb/doc/product/newFeatures.html Vendor Specific News/Changelog Entry: http://www.appwebserver.org/forum/viewtopic.php?t=996 Secunia Advisory ID:25636 ISS X-Force ID: 34854 Generic Informational URL: http://www.kb.cert.org/vuls/id/867593 CVE-2007-3008 Bugtraq ID: 24456