Full Disclosure mailing list archives
RE: TRACE used to increase the dangerous of XSS.
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 22 Jan 2003 17:35:26 -0500
Isn't this a bug in Internet Explorer? Shouldn't the Microsoft XMLHTTP ActiveX control be removing cookies from returned HTTP headers when a HTTP TRACE is done? I know that this already happens when a GET or a POST is done with XMLHTTP. Richard M. Smith http://www.ComputerBytesMan.com -----Original Message----- From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com] Sent: Wednesday, January 22, 2003 3:33 PM To: bugtraq () securityfocus com; webappsec () securityfocus com; vulnwatch () vulnwatch org Subject: TRACE used to increase the dangerous of XSS. WhiteHat Security has released a new white paper discussing a new class of web-app-sec attack (XST) which potentially affects all web servers supporting TRACE. The white paper explains all the detailed technical results we have found so far. We are fairly certain this particular issue will spark much debate and encourage those interested to read and comment. White Paper Mirrors: http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf Press Release http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 22)
- Re: RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- Re: RE: TRACE used to increase the dangerous of XSS. Georgi Guninski (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- Re: RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- <Possible follow-ups>
- Fw: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)