Re: New Web Vulnerability - Cross-Site Tracing

From: Andrew Clover (and@doxdesk.com)
Date: 01/23/03

  • Next message: inkubus@hushmail.com: "[USG- SA- 2003.001] USG Security Advisory (slocate)" 
    Date: Thu, 23 Jan 2003 11:46:36 +0000
From: Andrew Clover <and@doxdesk.com>
To: bugtraq@securityfocus.com

    Pete Soderling <pete@petesoder.com> quoted WhiteHat Security:

    > "After months of extensive research, San Jose California-based WhiteHat
    > Security has unmasked a flaw in one of the Web's cornerstone protocols

    No. The fault seems to me not to be anything to do with TRACE, but just
    (another) bug in Microsoft's XMLHTTP component.

    XMLHTTP should *not* add cookie and authentication headers to outgoing
    requests. It is only appropriate to send these headers when it is known
    the response will be handled by the user agent itself, and hence only
    available to scripting code through the usual browser security same-
    origin policy.

    TRACE is IMHO a silly feature, but it's unrelated to the real problem.
    After all, a simple GET request sent by XMLHTTP could ask for a page from
    a user's online bank and read the balance off the reply.

    TRACE would be a danger if there were a legitimate way to persuade a browser
    to make a TRACE request and display the results as text/html, but as far as
    I know there isn't. Certainly <form method="TRACE"> doesn't do it.

    'httpOnly' really doesn't have anything to do with this issue either.

    > which places all e-commerce sites, as well as scores of Internet users,
    > in jeopardy.

    Not any more than they already are. This is a browser bug in IE, and there
    are already many cross-site scripting bugs in that browser.

    I hope this was properly reported to MS... it's an IE hole, *not* a
    general-purpose the-web-is-falling design flaw. 

    -- 
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

    Relevant Pages

    • Re: tech- switch matrix
      ... Hurray, just read this, my browser went to the middle of the thread ... Hugh, by the way it is OK to ground the output of an LM339. ... Bad trace from R28 to U13- 15 ...
      (rec.games.pinball)
    • Re: Newbie Question on Page_Unload Event
      ... As soon as this Trace HTML is generated, it is sent to the browser and ... then the Page_Unload event is fired to clean things up. ... Trace information on the browser would not contains the trace output ...
      (microsoft.public.dotnet.framework.adonet)
    • Re: on line email systems and forms
      ... any trace if left on the sender computer? ... saying sorry no trace and can I ... your computer, except, perhaps, in the browser's cache and history. ... Which browser did you use? ...
      (uk.people.silversurfers)
    • get_scrollHeight error
      ... an illegal exception error. ... a browser which has a COM toolbar. ... // rctestWnd = MyWinInf.rcWindow; ... TRACE(TEXT("No Dispatch.\n")); ...
      (microsoft.public.win32.programmer.ui)
    • [NT] Gaining Root Access via PHP.exe
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary code by inserting into the Apache log file a malicious PHP based ... Apache will then add this request line to the access.log file. ... Test that the file can be accessed via your browser by typing ...
      (Securiteam)