Is PowerChute Network Shutdown vulnerable to Cross Site Tracing (XST)?

Hôm nay chúng tôi có thể giúp gì cho bạn?

Issue:
Is PowerChute Network Shutdown vulnerable to Cross Site Tracing (XST)?

Product:
PowerChute Network Shutdown

Environment:
All support OS

Cause:
Jetty web server

Solution:

The PCNS application is hosted on a Jetty Web Server. By default Jetty appears to have the HTTP TRACE method enabled.

In earlier versions of PowerChute (prior to 4.0), in response to an HTTP OPTIONS request the Jetty Web Server lists TRACE as an available option. However the TRACE method is blocked by the PCNS application.

HTTP/1.1 405 Method Not Allowed is sent in response to any TRACE request. Therefore PCNS is not vulnerable to CrossSite Tracing.

Cross site tracing (XST) is a vulnerability exploiting the HTTP TRACE method.
Further information can be found here:

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

Đã phát hành cho: Schneider Electric Việt Nam

Phát hành vào:13/8/2012Sửa lần cuối vào:6/10/2025

Phạm vi:

PowerChute Network Shutdown

Phạm vi:

PowerChute Network Shutdown

Đã phát hành cho: Schneider Electric Việt Nam

Sản phẩm

Hỗ trợ

Công ty

Liên kết nhanh

Đối tác

Phát triển bền vững

Sự kiện

Thông tin chuyên môn
opens new tab