Server Security- passing the audits

Whilst passing a server through Barclaycard PCI-CSS security audits we came across a possible method of server attack:

Any server that supports TRACE and TRACK methods over HTTP is possibly open to a security vulnerability known as an XST attack (Cross Site Tracing). This allows a carefully crafted TRACE request to intercept a users cookie information. All web servers types can be vulnerable, IIS and Apache.

To test:

telnet www.example.com 80

Trying 12.34.56.78...
Connected to www.example.com.
Escape character is '^]'.

TRACE /index.html HTTP/1.1
Host: www.example.com
[CR]

[CR] = Carriage Return, for a blank line to signify the end of the headers being sent

HTTP/1.1 200 OK
Date: Sat, 17 Dec 2005 23:51:29 GMT
Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

30
TRACE /index.html HTTP/1.1
Host: www.example.com

0

Connection closed by foreign host.

HTTP/1.1 403 Forbidden
Date: Sat, 17 Dec 2005 00:01:06 GMT
Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29
Last-Modified: Fri, 11 Feb 2005 05:30:57 GMT
ETag: "601d904-4dd-420c4311"
Accept-Ranges: bytes
Content-Length: 1245
Content-Type: text/html

<VirtualHost>

# Block TRACE/TRACK XSS vector
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
RewriteRule .* - [F]

</VirtualHost>

 HTTP/1.1 403 Forbidden

 Date: Sat, 17 Dec 2005 00:01:06 GMT

 Server: Apache/1.3.33 Sun Cobalt (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6 PHP/4.3.10 mod_auth_pam_external/0.1 mod_perl/1.29

 Last-Modified: Fri, 11 Feb 2005 05:30:57 GMT

 ETag: "601d904-4dd-420c4311"

 Accept-Ranges: bytes

 Content-Length: 1245

 Content-Type: text/html