How do I turn off TRACE method in Access Gateway

book

Article ID: 211432

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Vulnerability Scan found the following on SiteMinder Access Gateway R12.8SP4.

 

Vulnerabilities (9)
3 HTTP TRACE / TRACK Methods Enabled port 443/tcp
QID: 12680 CVSS Base: 5.8
Category: CGI CVSS Temporal: 5.2
CVE ID: CVE-2004-2320, CVE-2010-0386, CVE-2003-1567
Vendor Reference:

 

Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability port 443/tcp
QID: 86473 CVSS Base: 5.8
Category: Web server CVSS Temporal: 5
CVE ID: CVE-2004-2320, CVE-2007-3008
Vendor Reference:

 

Cause

This is obviously because TRACE method was enabled/allowed on the Access Gateway.

When you install Access Gateway, you will be asked if you want to turn off the TRACE method.

In case if you decided not to turn off the TRACE method then this is an expected behavior.

Environment

Release : 12.8.04

Component : SITEMINDER SECURE PROXY SERVER

Resolution

 

You can turn off the TRACE method manually by following the steps below.

 

Step1: Set "TraceEnable off" in your httpd.conf file.

 

Step2: Ensure there is no "LoadModule proxy_module modules/mod_proxy.so" in the httpd.conf file.

 

Then when you send TRACE method request you will get HTTP 405 response.

Additional Information

Documentation: HTTP Trace Method in Access Gateway