Search FAQs

Is PowerChute Network Shutdown vulnerable to Cross Site Tracing (XST)?

Issue:
Is PowerChute Network Shutdown vulnerable to Cross Site Tracing (XST)?

Product:
PowerChute Network Shutdown

Environment:
All support OS

Cause:
Jetty web server

Solution:

The PCNS application is hosted on a Jetty Web Server. By default Jetty appears to have the HTTP TRACE method enabled.

In earlier versions of PowerChute (prior to 4.0), in response to an HTTP OPTIONS request the Jetty Web Server lists TRACE as an available option. However the TRACE method is blocked by the PCNS application.

HTTP/1.1 405 Method Not Allowed is sent in response to any TRACE request. Therefore PCNS is not vulnerable to CrossSite Tracing.

Cross site tracing (XST) is a vulnerability exploiting the HTTP TRACE method.
Further information can be found here:

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

Released for:APC USA

Published on:8/13/2012Last Modified on:9/29/2021

Need help?

Support Center

Obtain answers on your own by trying our digital support tools.

Search FAQs

Get answers you need by browsing topic-related Frequently Asked Questions (FAQ).

How to buy?

Easily find the nearest APC Reseller or Distributor in your location.

Find your replacement battery

Find the genuine APC Replacement Battery for your UPS.

Contact Us

Connect with us for help choosing the right product or with troubleshooting and installation. Monday-Friday between 8am – 8pm EST