The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 102016 The Solaris Management Console (SMC) Enables TRACE HTTP by Default

Guest Author
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System

The Solaris Management Console (smc(1M)) is a graphical user interface that provides access to Solaris system administration tools which includes a web server that runs on port 898. This SMC web server enables the HTTP TRACE method by default which may allow a local or remote unprivileged user the ability to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of an HTTP TRACE request.

This issue is described in the CERT Vulnerability VU#867593 (see http://www.kb.cert.org/vuls/id/867593).

Note: The HTTP TRACE method asks a web server to echo the contents of the request back to the client for debugging purposes. The HTTP TRACE method is described in the HTTP 1.1 standard (RFC 2616, section 9.8). The TRACE method is enabled by default in Solaris Management Console (SMC) webserver.

Avoidance: Patch, Workaround
State: Resolved
First released: 26-Oct-2005

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.