Web Server allows Cross-Site Tracing
Security Metrics may claim that a system that is already compromised can be used in a cross-site script tricking a user to perform a cross-site trace.
ClearCenter response
Short response
While tracing is supported and enabled by default, ClearOS shares the view with the Apache Foundation that this is NOT a vulnerability. (See http://www.apacheweek.com/issues/03-01-24#news)
Long response
The Apache Foundation has addressed this issue and does not see this as a particular security vulnerability. (See http://www.apacheweek.com/issues/03-01-24#news)
Trace is a function and a utility of Apache to troubleshoot webpages. It can be used to discover why pages are not working and potentially could be used to fix issues. As explained in the news from the Apache Foundation, the same information exposed in the attack can be garnered in other more typical ways. This a pretty weak representation of a real problem.
Resolution
Tracing can be a valuable tool for discovering issues with a malformed webpage. If you don't use this tool and just as soon disable the functionality you can turn it off in ClearOS. If you want to disable tracing, enter this line near the top of your /etc/httpd/conf/httpd.conf file:
TraceEnable off
Afterwards, restart the Apache service:
service httpd restart