The HTTP TRACE Method is a debugging tool in Apache that just echo’s back what was sent to it. Attackers could potentially use this to trick a browser into revealing cookies or other request details from the domain with HTTP TRACE enabled. See http://www.apacheweek.com/issues/03-01-24#news for more info
Here is a sample HTTP TRACE session through telnet
[root@wwwa ~]# telnet 11.22.33.44 80 Trying 11.22.33.44... Connected to mywebsite.com (11.22.33.44). Escape character is '^]'. TRACE / HTTP/1.1 Host: www.mywebsite.com X-Header: testing HTTP/1.1 200 OK Date: Thu, 29 Nov 2007 15:25:59 GMT Server: Apache/2.2.6 (Unix) Transfer-Encoding: chunked Content-Type: message/http 42 TRACE / HTTP/1.1 Host: www.mywebsite.com X-Header: testing
Disabling this is easy enough. Just add this to your Apache configuration:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* http://www.campusbooks.com/ [R]