Implications of Trace/Track Methods on Apache
HTTP TRACE method basically replies the request, together with all the headers in response. Cookie header will also be included in response. Session cookies should have httpOnly flag for preventing Session Hijacking attacks. This flag blocks access to the cookie value from Javascript. Basically this ensures that even if attacker will exploit a XSS flaw in a website, he won't know the session cookie value, so he can not hijack it.
But if a web application server has TRACE enabled, attacker can just send e.g. XMLHttprequest (AJAX) to the target server. Browser will attach the cookies to the request, the server will echo them in response - and attacker's JS code will get the response and will be able to hijack the session.
The vulnerability is called Cross Site Tracing and has been described in this white paper.
However, since 2003 when this vulnerability has been discovered, many browsers simply disallowed sending requests with TRACE method. Also the specification for XMLHttpRequest disallows TRACE method now. I don't have any concrete results on which browser allows sending TRACE right now, the closest match I found is this article.
But still, there probably are some old browsers around - and other plugins like Flash, Silverlight, Java that often receive cookies from the browser and may use them for sending TRACE. So disabling it is now the only option to be sure you're not vulnerable to Cross Site Tracing. And it's easy too - just use TraceEnable off in Apache.
JavaScript can use it to access the http request headers. This allows
- access to cookies flagged for no script access by the usage of "httpOnly"
- http basic authentication credentials
These attacks are subjected to the same origin policy, but in combination with SOP exploits in Java, Flash, ActiveX, Vbscript, they can be applied to any domain.
There is a good whitepaper on this topic.
tldr : It is not exploitable by itself but poses a risk in combination with other vulnerabilities.