Full Disclosure mailing list archives
RE: RE: TRACE used to increase the dangerous of XSS.
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Thu, 23 Jan 2003 19:18:53 -0500
Hmm, maybe I'm not smoking anything. It looks like the security model in XMLHTTP changed somewhere between IE5 and IE6. I have some code that I wrote in summer of 2000 where it looks like XMLHTTP allowed cross-domain reading of Web files. I ran similar code today and it failed with a permission error. I also remember that XMLHTTP used to strip cookies from outgoing HTTP requests and incoming HTTP responses. I've been told the latest version of XMLHTTP allows cookies to be set and read. Does anyone have access to an old IE5 system that they can test this? Also, is the XMLHTTP security model documented anyplace by Microsoft? Richard -----Original Message----- From: Georgi Guninski [mailto:guninski () guninski com] Sent: Thursday, January 23, 2003 11:06 AM To: Richard M. Smith Cc: 'Thor Larholm'; full-disclosure () lists netsys com; jeremiah () whitehatsec com Subject: Re: [Full-disclosure] RE: TRACE used to increase the dangerous of XSS. Richard M. Smith wrote:
Okay it's not a bug, it's a feature. ;-) All I know is that
Microsoft
and Netscape are going to need to release new versions of XMLHTTP that either disallow the TRACE command altogether or strip cookie values
and
authen. info from TRACE results. I personally vote for removing TRACE support in XMLHTTP. Richard
Richard, what are you smoking? Last time I checked, Mozilla does not allow connecting with XMLHTTP to other sites. So removing TRACE method because of other bugs is quite silly. On page 7 of the original paper is clearly explained that in order this attack to be possible there should be another bug. Last time I checked, bugs which allow this attack, also allow taking over internet exploder completely. So why don't just download the user's hard drive and sort the cookies from the porn? Georgi Guninski http://www.guninski.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 22)
- Re: RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- Re: RE: TRACE used to increase the dangerous of XSS. Georgi Guninski (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- Re: RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- <Possible follow-ups>
- Fw: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)