[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003001c2c2fb$d47f0830$6601a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: RE: TRACE used to increase the dangerous of XSS.
Yep, you're right. XMLHTTP on IE only allows TRACEs to arbitrary
domains when the Javascript code executes in the "My Computer" zone. It
blocks cross-domain access in the "Internet Zone". So this issue is
much less interesting because it really relies on more serious bugs to
operate.
Killing off TRACE in XMLHTTP won't hurt just in case. The command seems
pretty useless.
Richard
-----Original Message-----
From: Georgi Guninski [mailto:guninski@...inski.com]
Sent: Thursday, January 23, 2003 11:06 AM
To: Richard M. Smith
Cc: 'Thor Larholm'; full-disclosure@...ts.netsys.com;
jeremiah@...tehatsec.com
Subject: Re: [Full-Disclosure] RE: TRACE used to increase the dangerous
of XSS.
Richard M. Smith wrote:
> Okay it's not a bug, it's a feature. ;-) All I know is that
Microsoft
> and Netscape are going to need to release new versions of XMLHTTP that
> either disallow the TRACE command altogether or strip cookie values
and
> authen. info from TRACE results. I personally vote for removing TRACE
> support in XMLHTTP.
>
> Richard
>
>
Richard, what are you smoking?
Last time I checked, Mozilla does not allow connecting with XMLHTTP to
other
sites. So removing TRACE method because of other bugs is quite silly.
On page 7 of the original paper is clearly explained that in order this
attack
to be possible there should be another bug.
Last time I checked, bugs which allow this attack, also allow taking
over
internet exploder completely. So why don't just download the user's hard
drive
and sort the cookies from the porn?
Georgi Guninski
http://www.guninski.com
Powered by blists - more mailing lists