Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability port 443/tcp QID: 86473 CVSS Base: 5.8 Category: Web server CVSS Temporal: 5 CVE ID: CVE-2004-2320, CVE-2007-3008 Vendor Reference:
Environment
CA Access Gateway (SPS) all versions
Cause
This is obviously because TRACE method was enabled/allowed on the CA Access Gateway (SPS).
When installing CA Access Gateway (SPS), an option asks to turn off the TRACE method or to keep it enabled.
In case if we decided not to turn off the TRACE method then this is an expected behavior.
Resolution
Turn off the TRACE method manually by following the steps below (1).
Be sure to back up the existing httpd.conf before modifying it.
Set "TraceEnable off" in the httpd.conf file:
Default: TraceEnable on
TRACE method disabled: TraceEnable off
Ensure there is no "LoadModule proxy_module modules/mod_proxy.so" in the httpd.conf file.
If such a line exists, either comment it out (use preceding #) or delete the line.
Restart CA Access Gateway (SPS).
Now when a user makes a request using TRACE method, the user's browser will receive a HTTP 405 response.