FixVibe
Покрыто FixVibehigh

Information Disclosure via Undocumented TRACK Method in Microsoft IIS 5.0

CVE-2003-1567 covers Microsoft IIS 5.0 TRACK behavior that can echo request content. FixVibe now reports this as a verified active-scan finding when target-specific, non-sensitive evidence shows legacy TRACK echo behavior, while clearly separating that evidence from proof of cookie theft or compromise.

CVE-2003-1567CWE-200

Covered by FixVibe

FixVibe now covers this issue in verified active scans. The shipped check reports legacy TRACK method echo behavior associated with CVE-2003-1567 when target-specific, non-sensitive request evidence shows that the server reflects request header content. Reports distinguish observed method-echo behavior from exact IIS 5.0 version proof unless the target itself advertises that version.

FixVibe does not send cookies, credentials, Authorization headers, browser exploit pages, user traffic, or state-changing requests for this check.

Why it matters

NVD describes CVE-2003-1567 as an undocumented Microsoft IIS 5.0 TRACK method that returns the original request in the response body, making cookie or credential disclosure easier in cross-site tracing scenarios [S1]. CERT/CC describes the same behavior as returning request content, including headers, and notes that blocking the method or using URLScan-style method controls mitigates the issue [S2]. The original public advisory also identified IIS 5.0 as affected and IIS 6.0 as not affected [S3].

What FixVibe checks

For a verified active-scan target, FixVibe checks whether the legacy TRACK method is accepted and whether the response echoes scanner-controlled, non-sensitive request content. Evidence includes the endpoint, server-header context when present, a safe response excerpt, and explicit notes about what was and was not verified.

This is reported as a likely information-disclosure issue. If the server advertises Microsoft-IIS/5.0, the advisory correlation is stronger; otherwise the finding remains bounded to the observed TRACK header-echo behavior.

What FixVibe does not verify

FixVibe does not verify that a browser in the environment can issue cross-origin TRACK requests. It does not capture real user traffic, cookies, credentials, or Authorization headers. It does not prove session theft, credential disclosure, compromise, or logged attack activity.

Remediation

Disable TRACK and TRACE at every HTTP layer that can answer for the affected hostname: CDN, WAF, load balancer, reverse proxy, IIS, and origin server. For legacy IIS 5.0 hosts, migrate to a supported IIS release where possible, or enforce method denial before the request reaches IIS while the migration is planned [S2].

After the change, confirm normal GET and HEAD traffic still works, review access logs for unexpected TRACK or TRACE activity, and rerun a verified active scan. Do not validate the fix by sending cookies, credentials, Authorization headers, browser exploit pages, user sessions, or state-changing requests.

Information Disclosure via Undocumented TRACK Method in Microsoft IIS 5.0 — FixVibe research · FixVibe