Security vulnerabilities: 1)Trace and Track    2)weak SSL ciphers

Posted on 2009-02-08
Last Modified: 2013-11-16
I have the following 2 Nessus scan results which have been bugging us a while
because when my colleague tried to fix them, it affects the web service.

Anyone has any idea on how to address them without affecting the service


interwise (7778/tcp)

Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See Also :


Disable these methods.

Risk Factor :

Medium / CVSS Base Score : 5.0


csd-mgmt-port (3071/tcp)

Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

See Also :


Reconfigure the affected application if possible to avoid use of weak

Risk Factor :

Medium / CVSS Base Score : 5.0

Plugin output :

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Question by:sunhux
    LVL 9

    Accepted Solution

    They're both going to affect the web service by nature of the issue, as they are web service vulnerabilities, so there is no way to remediate without affecting it.

    With that said, what OS is it?

    In Windows, this is a reg hack to disable the weak ciphers.  This should not have a significant effect on the web service, as you're basically saying, don't negotiate SSL using these certain weak encryption ciphers -- typically, a good idea, right?  You don't want that ssl negotation to be hacked/decrypted by the bad guys.

    Check out:

    Trace and Track are usually only needed for debugging and don't affect the end user experience.  I woudl suggest disabling these, and enabling only when troubleshooting.

    Author Comment


    It's Windows 2003 Enterprise servers as well as Win 2003 Std Edition  OS.

    So both the Trace and Track as well as "weak ciphers" which I indicated above
    are the same issue?  

    Are the solution for both indicated in link below ?
    LVL 9

    Assisted Solution

    No, trace/track are slightly different.  I've done a lot of nessus scanning, these are common issues.


    urlscan can be used for track:


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now