Interesting, I got the following from our security audit today, first time we have failed in years

Notes/Domino 8 Forum

Subject:

I am not sure how to fix this, but, they must have changed their testing methodology... We use Domino 8.0.1

Howard

Security Vulnerabilities

Protocol
Port
Program
Risk
Summary

TCP
80
http
5
Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirr or/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-2 4 http://www.kb.cert.org/vuls/id/867593 Solution: Disable these methods. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : The server response from a TRACE request is : TRACE /SMetrics1555461136.html HTTP/1.1 Connection: Keep-Alive Host: tlcc.com Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U Smetrics ) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726 [More]
[Hide]