Here’‘s the output that was forwarded to me. If possible I’'d like to remove this alert but it rated a B which I can get to slide by.
Multiple Vendors Web Servers HTTP TRACE Method Vulnerability
There is a possibility of information leak. The “TRACE”
method is that responses clients’’ request messages from server to
the clients such “echo.” If this method is successfully
abused, the authentication information such as basic
authentication for HTTP is possibly able to be sniffed.
There is no problem on the HTTP TRACE Method itself. However,
this method possibly causes information leak of HTTP header such
as basic authentication by a request of the TRACE method if the
Web site has a cross-site scripting vulnerability.
It is able to avoid this issue by voiding the TRACE method. It
is necessary to re-integrate the server software to void. In case
of using Apache, the optional module, which is mod_rewrite, and In
case of IIS, URLScan, which is in the IIS Lockdown tool, controls
the TRACE method. This countermeasure is one of the risks of the
server management workload so that please consider the necessity
before taking the re-integrating action.
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970
TRACE / HTTP/1.1