Note: This is an archival copy of Security Sun Alert 200171 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000125.1.
Article ID : 1000125.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun ONE/iPlanet Web Server Enable HTTP TRACE Method by Default


Release Phase

Bug Id

Date of Resolved Release

CERT Vulnerability VU867593 ... see below:


CERT Vulnerability VU867593 describes a techique to abuse the HTTP TRACE functionality to gain access to information in HTTP headers. This technique may be used to access sensitive information in HTTP headers using the HTTP TRACE method when making HTTP requests to Sun ONE/iPlanet Web Servers.

This issue is described in the CERT Vulnerability VU#867593 (see

Note 1: HTTP TRACE, which is part of the HTTP 1.1 standard and described in RFC 2616, is enabled by default on Sun ONE/iPlanet Web Servers.

Note 2: Sun ONE/iPlanet Web Servers could be used as an agent to exploit this issue.

Contributing Factors

This issue can occur in the following releases:

  • Sun ONE/iPlanet Web Server 4.1 and all Service Packs
  • Sun ONE/iPlanet Web Server 6.0 and all Service Packs
  • Sun ONE/iPlanet Web Server 6.1 and all Service Packs
  • Sun Java System Web Server 7.0 and later

For supported architectures and OS versions see:


There are no predictable symptoms that would show the described issue has been exploited.


The described issue is not a defect of the Sun ONE/iPlanet Web Server. However, the following recommendation is provided to avoid this issue.

Disable HTTP TRACE support for SunONE/iPlanet Web Server 4.1 and 6.0 as follows:

  • Sun ONE Web Server releases 6.0 Servic Pack 2 and later and 6.1 and 7.0 and later :
	Add the following to the top of the default object in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
	Restart web server
  • Sun ONE Web Server releases prior to 6.0 Service Pack 2:
	Create a file called reject_trace.c and paste the code below into it
	----------------------------- start --------------------------------
	#include "nsapi.h"
	NSAPI_PUBLIC int reject_trace(pblock *pb, Session *sn, Request *rq)
	const char *method;
	method = pblock_findval("method", rq->reqpb);
	if (method && !strcmp(method, "TRACE")) {
	* Set a bogus content length so the TRACE handler will refuse to
	* handle the request
param_free(pblock_remove("content-length", rq->headers));
pblock_nvinsert("content-length", "-1", rq->headers);
log_error(LOG_WARN, "reject-trace", sn, rq, "rejecting TRACE request");
protocol_status(sn, rq, PROTOCOL_NOT_IMPLEMENTED, NULL);
	----------------------- end --------------------------------
	Compile the NSAPI:
Sun ONE/iPlanet Web Server 6.0 RTM and 6.0 SP1 and add to the end of the magnus.conf file:
	Init fn="load-modules" shlib="<path to library>/"funcs="reject_trace"
Then edit the obj.conf file and add the following line after the <Object name="default"> :
	AuthTrans fn="reject_trace"
Sun ONE/iPlanet Web Server 4.1 Service Pack 1 through 12  edit the obj.conf
and add to the end of the Init section:
	Init fn="load-modules" shlib="<path to library>/"funcs="reject_trace"
Then  after the line <Object name="default"> add the following
	AuthTrans fn="reject_trace"

Note: The above script is provided "AS IS" and it is the users responsibility to verify it has been implemented correctly.


This issue may be addressed by disabling HTTP TRACE as shown above in the Relief/Workaround section.

Note: this issue affects all future releases of this product that may be released in the future.
Modification History
26-Aug-2009: Updated Contributing Factors to include Web Server 7.0 and all subsequent releases

Date: 02-MAY-2003
  • Updated Relief/Workaround section

Date: 19-MAY-2003
  • typos in Relief/Workaround section

Date: 13-AUG-2004
  • Updated Contributing Factors and Relief/Workaround sections

Sun Java System Web Server 7.0

This solution has no attachment