Here’‘s the output that was forwarded to me. If possible I’'d like to remove this alert but it rated a B which I can get to slide by.
Grant
Inspection Type
Vulnerability Name
Multiple Vendors Web Servers HTTP TRACE Method Vulnerability
Outline
There is a possibility of information leak. The “TRACE”
method is that responses clients’’ request messages from server to
the clients such “echo.” If this method is successfully
abused, the authentication information such as basic
authentication for HTTP is possibly able to be sniffed.
Impact
There is no problem on the HTTP TRACE Method itself. However,
this method possibly causes information leak of HTTP header such
as basic authentication by a request of the TRACE method if the
Web site has a cross-site scripting vulnerability.
Countermeasures
It is able to avoid this issue by voiding the TRACE method. It
is necessary to re-integrate the server software to void. In case
of using Apache, the optional module, which is mod_rewrite, and In
case of IIS, URLScan, which is in the IIS Lockdown tool, controls
the TRACE method. This countermeasure is one of the risks of the
server management workload so that please consider the necessity
before taking the re-integrating action.
Inspection Type
Note
http://www.kb.cert.org/vuls/id/867593
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.atmarkit.co.jp/fsecurity/rensai/webhole04/webhole01.html
Inspection Type
Additional Information
Port9090
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970
00:00:00 GMT
Set-Cookie:
JSESSIONID=1h43cam3g7nac;path=/
Content-Type:
message/http
Content-Length: 49
TRACE / HTTP/1.1
Host:
foo.bar
X-Header: test