lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: rms at computerbytesman.com (Richard M. Smith)
Subject: RE: TRACE used to increase the dangerous of XSS.

Okay it's not a bug, it's a feature.  ;-)  All I know is that Microsoft
and Netscape are going to need to release new versions of XMLHTTP that
either disallow the TRACE command altogether or strip cookie values and
authen. info from TRACE results.  I personally vote for removing TRACE
support in XMLHTTP.

Richard


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Thor
Larholm
Sent: Thursday, January 23, 2003 4:33 AM
To: Richard M. Smith; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] RE: TRACE used to increase the dangerous
of XSS.


This is not a bug in IE or XMLHTTP, and the cookie is not returned as
part
of the HTTP response headers. It is returned as part of the HTTP
response
body, which is exactly how TRACE works. Manipulating the HTTP response
body
returned is the last thing XMLHTTP would, or should, do.

IE is not the only browser that has XMLHTTP, Mozilla implemented a
fullyworking copy with the exact same behavior. Neither remove any
Set-Cookie HTTP headers from the response exposed to scripting.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-vendor Game Server DDoS Vulnerability
http://www.pivx.com/press_releases/mk_mk001.html


-----Original Message-----
From: Richard M. Smith [mailto:rms@...puterbytesman.com]
Sent: 22. januar 2003 23:35
To: bugtraq@...urityfocus.com; webappsec@...urityfocus.com;
vulnwatch@...nwatch.org
Subject: RE: TRACE used to increase the dangerous of XSS.


Isn't this a bug in Internet Explorer?  Shouldn't the Microsoft XMLHTTP
ActiveX control be removing cookies from returned HTTP headers when a
HTTP TRACE is done?  I know that this already happens when a GET or a
POST is done with XMLHTTP.

Richard M. Smith
http://www.ComputerBytesMan.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ