Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site-TRACE

Posted by michael on from the uh-oh dept.

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

15 of 299 comments (clear)

  1. obligatory /.-ted remark by selderrr · · Score: 2, Funny

    highly popular blog
    apparenlty a bit to popular right now:-)

    --
    When will I end this grieving ? When will my future begin ?
  2. Return to Pleasure Island by AndroidCat · · Score: 3, Funny

    Got his little chapbook right here, signed even. And if you flip though the pages, the donkey changes into a boy, or is that the other way around?

    --
    One line blog. I hear that they're called Twitters now.
  3. How could this happen? by Anonymous Coward · · Score: 4, Funny

    I thought the Magic Kingdom was the happiest place on earth? If you cry Mickey will give you free gifts.

  4. Re:why would i buy? by gotroot801 · · Score: 3, Funny

    For that matter, why wouldn't I buy the book, when the dead-tree edition would probably reach me quicker than the free download on the slashdotted server? :)

  5. Re:Most science fiction by Anonymous Coward · · Score: 1, Funny

    You must be a liberal, based on your use of an ad-hominem attack rather than actually trying to refute something you don't agree with :-)

    Rush Limbaugh is a liberal?!

  6. Re:Most science fiction by bdr1 · · Score: 2, Funny

    rather than just sitting there like a turd on a log, belching out criticism, write your own novel. otherwise, stop your croaking.

  7. Descriptivism R teh suX0R, lol urfuct by Anonymous Coward · · Score: 1, Funny

    Preaching to the choir, half of whom are asleep and the other half can't sing. The pews are empty. You GO, boy.

  8. /!\ Security Alert _ [] [X] by Seehund · · Score: 5, Funny

    Your Computer Is Currently Broadcasting An
    Internet IP Address. With This Address, Someone Can
    Immediately Begin Attacking Your Computer! [ OK ]

    Shut up Slashdot. I get all the Security Alerts I need from media*.fastclick.net.

    --
    Help savingAmigaOS and a free PowerPC market
  9. Re:relation? by LinuxPunk · · Score: 4, Funny

    Oh my god, they killed UUnet! Those bastards!

    Sprint seems to be doing very well, though.

  10. At least... by mraymer · · Score: 3, Funny
    ...they didn't provide a link to an example script for this exploit. ;)

    Can you imagine the royal slashdotting that RIAA/MPAA/MS/etc would receive if the thousands of script kiddies that read /. suddenly had access to such a thing?

    Perhaps this is what Obi-Wan was talking about when he felt the tremor in the force, and the whole Alderaan blowing up thing was just a bizarre coincidence...

    --

    "To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking

  11. Re:relation? by hudmond · · Score: 3, Funny
    excerpt taken from http://www.internet.com/
    Microsoft Promises a More Secure 2003 After a year of working on its security issues, the company's Trustworthy Computing initiative is taking more of a 'push' approach starting with Windows Server 2003. -internetnews
    Anyone else find this laughable? I'm slightly entertained I'll admit.
  12. Re:relation? by amigaluvr · · Score: 5, Funny

    hrm kevin mitnick is allowed back o the net and the net goes fubar

    hrmmmmmmmmmmmmmmm????

  13. Ironic... by weave · · Score: 3, Funny
    /. runs a story on main page about huge security hole in all web servers that will bring the net to its knees, but it really only affects IE clients. They don't run a story about what may end up the biggest net story of the year, ala code red, the MS SQL worm running wild on the net now and shutting down entire sites and playing havoc with the backbone.

    /. posters work around the damage in the story and start posting comments en masse about the SQL attack -- the real story this day -- leaving people who lack reading comprehension to confuse the two issues, therefore causing a DDOS on their brain.

  14. Maybe it's bin laden by FIGJAM · · Score: 2, Funny

    lets blame him anyway

    --
    Do your best, hope for the best, suspect the worst.
  15. Re:This story is crap by eyeball · · Score: 3, Funny

    This story is utter alarmist crap.

    Hey, don't knock alarmist crap. It's a real cash cow for some people!

    --

    _______
    2B1ASK1