I run a third-party shopping cart (Cartmanager) for my site hosted with Plainblack (virtual host). My merchant account told me that new laws were passed requiring their customers to run a compliance scan on their ecommerce websites to be certain that there were no data vulnerabilities.

I set myself up on their platform to run the scan - my site has failed due to the following vulnerability:

Web Server HTTP Trace/Track Method Support Cross-Site Tracing (Vulnerability port 80/tcp)

A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.

A vulnerability related to this method was discovered. A malicious, active component in a Web page can send Trace requests to a Web server that supports this Trace method.

Usually, browser security disallows access to Web sites outside of the present site's domain. Although unlikely and difficult to achieve, it's possible, in the presence of other browser vulnerabilities, for the active HTML content to make external requests to arbitrary Web servers beyond the hosting Web server. Since the chosen Web server then echoes back the client request unfiltered, the response also includes cookie-based or Web-based (if logged on) authentication credentials that the browser automatically sent to the specified Web application on
the specified Web server.

The significance of the Trace capability in this vulnerability is that the active component in the page visited by the victim user has no direct access to this authentication information, but gets it after the target Web server echoes it back as its Trace response.
Since this vulnerability exists as a support for a method required by the HTTP protocol specification, most common Web servers are vulnerable.

I have a full PDF report that explains more - however, it says that I should contact Plainblack as the problem exists at the Virtual Host level. 

Does anyone have any insight as to how I might solve this problem? I am not even quite sure who I should be asking, or where else I might post this message.

Thanks for any help!

--- (Edited on 1/21/2008 10:14 am [GMT-0600] by atotheo) ---

--- (Edited on 1/21/2008 7:46 pm [GMT-0600] by atotheo) ---

http://www.cgisecurity.com/questions/httptrace.shtml

TRACE requests can be disabled by making a change to the Apache server configuration.

So if you are running WRE you can easily disable the trace in the modproxy webserver since that allready uses mod rewrite to get rid of the :80 port. 

--- (Edited on 22-January-2008 08:07 [GMT+0100] by koen) ---