lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <005d01c2c33e$2db0b7e0$6601a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: RE: TRACE used to increase the dangerous of XSS.

Hmm, maybe I'm not smoking anything.  It looks like the security model
in XMLHTTP changed somewhere between IE5 and IE6.  I have some code that
I wrote in summer of 2000 where it looks like XMLHTTP allowed
cross-domain reading of Web files.  I ran similar code today and it
failed with a permission error.   

I also remember that XMLHTTP used to strip cookies from outgoing HTTP
requests and incoming HTTP responses.  I've been told the latest version
of XMLHTTP allows cookies to be set and read.

Does anyone have access to an old IE5 system that they can test this?

Also, is the XMLHTTP security model documented anyplace by Microsoft?

Richard

-----Original Message-----
From: Georgi Guninski [mailto:guninski@...inski.com] 
Sent: Thursday, January 23, 2003 11:06 AM
To: Richard M. Smith
Cc: 'Thor Larholm'; full-disclosure@...ts.netsys.com;
jeremiah@...tehatsec.com
Subject: Re: [Full-Disclosure] RE: TRACE used to increase the dangerous
of XSS.


Richard M. Smith wrote:
> Okay it's not a bug, it's a feature.  ;-)  All I know is that
Microsoft
> and Netscape are going to need to release new versions of XMLHTTP that
> either disallow the TRACE command altogether or strip cookie values
and
> authen. info from TRACE results.  I personally vote for removing TRACE
> support in XMLHTTP.
> 
> Richard
> 
> 


Richard, what are you smoking?
Last time I checked, Mozilla does not allow connecting with XMLHTTP to
other 
sites. So removing TRACE method because of other bugs is quite silly.
On page 7 of the original paper is clearly explained that in order this
attack 
to be possible there should be another bug.

Last time I checked, bugs which allow this attack, also allow taking
over 
internet exploder completely. So why don't just download the user's hard
drive 
and sort the cookies from the porn?

Georgi Guninski
http://www.guninski.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ