Pete Soderling <pete (at) petesoder (dot) com [email concealed]> quoted WhiteHat Security:
> "After months of extensive research, San Jose California-based WhiteHat
> Security has unmasked a flaw in one of the Web's cornerstone protocols
No. The fault seems to me not to be anything to do with TRACE, but just
(another) bug in Microsoft's XMLHTTP component.
XMLHTTP should *not* add cookie and authentication headers to outgoing
requests. It is only appropriate to send these headers when it is known
the response will be handled by the user agent itself, and hence only
available to scripting code through the usual browser security same-
origin policy.
TRACE is IMHO a silly feature, but it's unrelated to the real problem.
After all, a simple GET request sent by XMLHTTP could ask for a page from
a user's online bank and read the balance off the reply.
TRACE would be a danger if there were a legitimate way to persuade a browser
to make a TRACE request and display the results as text/html, but as far as
I know there isn't. Certainly <form method="TRACE"> doesn't do it.
'httpOnly' really doesn't have anything to do with this issue either.
> which places all e-commerce sites, as well as scores of Internet users,
> in jeopardy.
Not any more than they already are. This is a browser bug in IE, and there
are already many cross-site scripting bugs in that browser.
I hope this was properly reported to MS... it's an IE hole, *not* a
general-purpose the-web-is-falling design flaw.
--
Andrew Clover
mailto:and (at) doxdesk (dot) com [email concealed]
http://www.doxdesk.com/
> "After months of extensive research, San Jose California-based WhiteHat
> Security has unmasked a flaw in one of the Web's cornerstone protocols
No. The fault seems to me not to be anything to do with TRACE, but just
(another) bug in Microsoft's XMLHTTP component.
XMLHTTP should *not* add cookie and authentication headers to outgoing
requests. It is only appropriate to send these headers when it is known
the response will be handled by the user agent itself, and hence only
available to scripting code through the usual browser security same-
origin policy.
TRACE is IMHO a silly feature, but it's unrelated to the real problem.
After all, a simple GET request sent by XMLHTTP could ask for a page from
a user's online bank and read the balance off the reply.
TRACE would be a danger if there were a legitimate way to persuade a browser
to make a TRACE request and display the results as text/html, but as far as
I know there isn't. Certainly <form method="TRACE"> doesn't do it.
'httpOnly' really doesn't have anything to do with this issue either.
> which places all e-commerce sites, as well as scores of Internet users,
> in jeopardy.
Not any more than they already are. This is a browser bug in IE, and there
are already many cross-site scripting bugs in that browser.
I hope this was properly reported to MS... it's an IE hole, *not* a
general-purpose the-web-is-falling design flaw.
--
Andrew Clover
mailto:and (at) doxdesk (dot) com [email concealed]
http://www.doxdesk.com/
[ reply ]