WebApp Sec mailing list archives
Re: Is this exploitable?..
From: Stephen de Vries <stephen () twisteddelight org>
Date: Fri, 17 Dec 2004 10:28:40 +0000
Hi BenYes it is exploitable, one attack vector is called Cross Site Tracing documented here: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
It should be noted that this is not a vulnerability in the J2EE implementation of TRACE, it is a problem with the TRACE method itself, see the HTTP 1.1 RFC for more info: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.8
Regards, Stephen On Dec 15, 2004, at 10:42 PM, Benjamin Livshits wrote:
I was looking at the follong code in J2EE 1.4.1 HttpServlet.java and it looks like it may be possible to exploit it: 672 protected void doTrace(HttpServletRequest req, HttpServletResponse resp) 673 throws ServletException, IOException 674 { 675 676 int responseLength; 677 678 String CRLF = "\r\n"; 679 String responseString = "TRACE "+ req.getRequestURI()+ 680 " " + req.getProtocol(); 681 682 Enumeration reqHeaderEnum = req.getHeaderNames(); 683 684 while( reqHeaderEnum.hasMoreElements() ) { 685 String headerName = (String)reqHeaderEnum.nextElement(); 686 responseString += CRLF + headerName + ": " + 687 req.getHeader(headerName); 688 } 689 690 responseString += CRLF; 691 692 responseLength = responseString.length(); 693 694 resp.setContentType("message/http"); 695 resp.setContentLength(responseLength); 696 ServletOutputStream out = resp.getOutputStream(); 697 out.print(responseString); 698 out.close(); 699 return; 700 }It looks like responseString obtained from req is forgeable and this mayconceivably lead to a vulnerability down the line, it seems, when responseString is output with a call to out.print(responseString). Please advise. -Ben
Current thread:
- Is this exploitable?.. Benjamin Livshits (Dec 16)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
- RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
- Re: Is this exploitable?.. Stephen de Vries (Dec 20)
- Re: Is this exploitable?.. Tim (Dec 20)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)