lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001c01c2c266$4601a1c0$6601a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: RE: TRACE used to increase the dangerous of XSS.

Isn't this a bug in Internet Explorer?  Shouldn't the Microsoft XMLHTTP
ActiveX control be removing cookies from returned HTTP headers when a
HTTP TRACE is done?  I know that this already happens when a GET or a
POST is done with XMLHTTP.

Richard M. Smith
http://www.ComputerBytesMan.com

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@...tehatsec.com] 
Sent: Wednesday, January 22, 2003 3:33 PM
To: bugtraq@...urityfocus.com; webappsec@...urityfocus.com;
vulnwatch@...nwatch.org
Subject: TRACE used to increase the dangerous of XSS.


WhiteHat Security has released a new white paper discussing a new class
of web-app-sec attack (XST) which potentially affects all web servers
supporting TRACE.

The white paper explains all the detailed technical results we have
found so far. We are fairly certain this particular issue will spark
much debate and encourage those interested to read and comment.


White Paper Mirrors:
http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf
http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf

Press Release
http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ