Hi all, recently I’ve stumbled upon the same issue in Securing HTTP TRACE/TRACK, the statement made by the apache team is true: It does not expose a vulnerability in Apache.
But that is not the point. It might be used to attack a any web application hosted on the apache.
See: https://www.owasp.org/index.php/Cross_Site_Tracing
Therefore most vulnerability assessment tools will flag the TRACE method as critical.
What’s the point in having a client see what is being received at the other end of the request chain and use that data for testing or diagnostic information in a production environment ?
And as confirmed in this years this could be used to grab session cookies and steal admin connections, reported from many CVEs.
My point is that there’s no benefit and only risks for customer sessions, so I ask to reconsider actual behaviour and disable “tracing” by default.
For your information:
- RedHat disabled tracing for oVirt 1764959 – Apache is configured to offer TRACE method (security)
Thanks in advance
Nick