Is PowerChute Network Shutdown vulnerable to Cross Site Tracing (XST)?
Issue:
Is PowerChute Network Shutdown vulnerable to Cross Site Tracing (XST)?
Product:
PowerChute Network Shutdown
Environment:
All support OS
Cause:
Jetty web server
Solution:
The PCNS application is hosted on a Jetty Web Server. By default Jetty appears to have the HTTP TRACE method enabled.
In earlier versions of PowerChute (prior to 4.0), in response to an HTTP OPTIONS request the Jetty Web Server lists TRACE as an available option. However the TRACE method is blocked by the PCNS application.
HTTP/1.1 405 Method Not Allowed is sent in response to any TRACE request. Therefore PCNS is not vulnerable to CrossSite Tracing.
Cross site tracing (XST) is a vulnerability exploiting the HTTP TRACE method.
Further information can be found here:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
發佈於: 施耐德電機Taiwan
需要協助?
產品選型工具
快速輕鬆地為您的應用找到合適的產品和附件。
取得報價
立即線上提交您的銷售需求,專業團隊將主動聯繫您。
購買地點
輕鬆在您所在地區找到最近的施耐德電機經銷商。
支援中心
在同一位置找到滿足您所有需求的支援資源。