Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site-TRACE

Posted by michael on from the uh-oh dept.

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

16 of 299 comments (clear)

  1. He gets the word around.. by Gortbusters.org · · Score: 2, Insightful

    Let's see... he's got the blog, online sellers, copies of it online in all the great formats, a blog, and even the desire to put it on P2P sharing services. Don't forget the /. post.

    Not many look to writing books for fun these days, perhaps I shall click on his advertisements to give him some support.

    --
    --------
    Free your mind.
  2. Re:why would i buy? by Anonymous Coward · · Score: 2, Insightful

    i don't know. maybe you get halfway through reading the pdf, and need a book to go on holiday with.

    also. you could repay him by telling your friends how good it was (I'm assuming it's good here ;-). Not all of them are gonna be so cheapskate they're prepared to read a pdf.

    finally, who says you'll want to read his second novel this way?

  3. Re:why would i buy? by Erasmus+Darwin · · Score: 5, Insightful
    "why would i go buy the book, when i just downloaded the pdf for free?"

    For the same reason that you'd go see a concert of a band that allows you to trade bootlegs of their concerts. The content may be the same, but the presentation of the for-pay version is in a format that is usually considered more desirable.

  4. Re:why would i buy? by bje2 · · Score: 3, Insightful

    true, when you consider printer ink, printer paper, etc, the book might end up being cheaper after all...but then again, i can just print it out at work, and do away with all that overhead for me...

    --

    "Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
  5. Re:Didn't OWNZ0RED get panned?? by Anonymous Coward · · Score: 1, Insightful
    I still have to wonder if the content is all that good though. Guess I'll be reading it myself.
    sigh.
    Yeah, it sucks to have to think for yourself instead of defering to the slashdot hivemind.
  6. Re:Most science fiction by nEoN+nOoDlE · · Score: 4, Insightful

    as Kurt Vonnegut once said (paraphrased), good science fiction writers don't know anything about science. Personally, I would agree with him since Vonnegut is my favorite writer and I read science fiction not for the scientific facts, but for the writers interpretation of the "human condition" with perhaps the future or some crazy invention thrown in as a plot device. If I wanted a view of the future, I'd read science journals.

    --
    Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
  7. Re:Most science fiction by schlach · · Score: 5, Insightful
    I can't figure out why the reaction to the 0wNz0red story in August was so bad on slashdot. I thought it was a very entertaining, enjoyable, and thought-provoking read, in the grande style of good science fiction.

    I think most of it was a reaction to the language, which strikes me as bizarre. This is how we think! Maybe shutter-geeks are intolerant of words coined after 1960, but I hate to tell you folks, look how many pieces of language we owe to Gibson's contribution.

    Check out Tales for the 1337 presents: Romeo & Juliet". That's funny shit, because of the way it illustrates how language is changing with the kids. Before you dismiss them as punks, remember that in ten years they'll be dismissing us as foges.

    It's always been the case that language is purely the spoken word, and that writing is only linguistically interesting in the sense that it helps us track the progress of language. That's not exactly what I mean, but close enough. Anyway, what's come to be known as '1337' (but I'll generalize as "chat colloquialisms" b/c ppl ph34r th4t w0rd) is the first time that writing is dictating language. kewl.

    When you find yourself saying - outloud - "bbl", or "brb", or "haxor, fuxor, suxor", or "warez, filez, skillz" in 'real life', you know you're part of the change. Hell, when I say "owned" wrt computer security, I know it's spelled with a zero. Writing is leading language in this case, unlike others, because within this particular group of people, writing has become the dominant communication medium. Otherwise, it would follow the same slang-path that you are probably more familiar with, like "cool", "sweet", "rock", etc, which progresses from within spoken circles to the dictionary in an orderly fashion.

    Quoth sirinek,
    I'd like to thank the submitter of the story for calling it a "weblog" instead of some lame-ass made-up-for-the-sake-of-making-a-name-up name like a "blog" or a "wiki". :)

    I'm sure I'm not alone in my praise :)

    He's right, he's not alone. But I'm not with him. I have a blog. I blog things on my blog. This comment will probably be blogged in some shape or form. And I'm thinking about starting a wiki for a different project. 'Wiki' is the only word there is for a wiki. The only way I can think of to avoid using it is to not think about the idea that 'wiki' represents ... which just seems faulty.

    Interrobang,
    It's nice to see someone play with language, and it's nice to see someone who apparently knows a little bit of something (instead of a whole lot of nothing) about computers writing speculative fiction, for a change. Or don't you guys get a little bit annoyed about totally impossible (instead of wildly improbable) computers (and/or technology) in speculative fiction?

    Aren't we progressive? Aren't we adaptive? I've got a lot of hope riding on this generation of geeks, to look forward to the future, optimizing the world, if you will... I shudder to think that, underneath it all, we geeks think that our own language and the way we think should be constant and unchanging throughout our (adult) lives...
  8. Re:why would i buy? by WNight · · Score: 3, Insightful

    Because part of being a useful member of society is taking responsibility. If you wish to see the series continue, take responsibility for a part of that and help finance it.

    It's not a theft issue or anything, the author isn't harmed by you reading it. You have no obligation to pay, otherwise it wouldn't have been a gift, it'd have been a guilt-trip. But stand up and be counted. If you like something, make sure it keeps happening.

    Support the author. If you don't want the book (and someone who doesn't re-read them probably wouldn't) then just send what you think is a fair price (a buck or two probably is more profit than he'd see from an actual sale) through paypal. Then pass the e-book on to someone else who might like it.

    Personally, I wouldn't buy the book (in paper form anyways). Paper is becoming more and more obsolete. I read on the computer with preference to paper. When I re-read 1984 I did it on the computer, when I read the last honor-harrington novels, I read them on the computer instead of from the hard-copy book I had. I like having Baen books on CD though, and if the price of that is to buy a little obsolete paper every now and then, so be it.

  9. relation? by minddog · · Score: 3, Insightful

    This isn't at all related to whats going on right now is it?

    1. Re:relation? by walendo · · Score: 2, Insightful

      Same here. Lots of hits on port 1434, currently from .kr and .mx ... sigh.

  10. Re:not related by thestu · · Score: 2, Insightful

    I'm also getting pounded here on 1434... Thank god for firewalls...

  11. A couple choice quotes from the "whitepaper" by jeremie · · Score: 5, Insightful
    Typical Sky-Is-Falling (tm) propoganda, this is so 90's:

    "Scenarios assume the following:
    A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..)"

    "To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server." (this must pass through the web browser which must foolishly attach authentication cookies in question (which properly implemented secure systems don't rely on anyway))

    "To restate, all the sensitive information is still accessible even over an SSL link." (what the hell? it's just the friggin headers! cookies and weak basic auth (they didn't even show and I'm not convinced the (broken) browsers send the auth headers in such forged requests)

    "There is however at this point a limiting factor preventing wider a danger escalation. The TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content... To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability" (MAKE THIS CLEAR, IT ONLY WORKS IN A CROSS-SITE SCRIPTING VULNERABLE BROWSER)


    To re-iterate: your web server or site isn't vulnerable because it supports trace, that's about as silly as blaming ping packets for the ping-of-death problems on early windoze systems, sheesh.

    This is all a bunch of crap that requires a browser to be vulnerable to cross scripting, and for the user to have visited a malicious site just beforehand.
  12. Re:sorry about the lack of breaks... by happystink · · Score: 2, Insightful

    That's great if your server is INfected, but unfortunately, for most people their server is AFfected due to the ensuing mess the DDOS is causing, and most aren't running MSSQL.

    --

    sig:
    See the "..for smart people" banners Wired runs here? Look elsewhere guys.

  13. Re:SitRep by mabu · · Score: 2, Insightful

    If you have something productive to say, go for it. But calling someone an idiot without any details is counterproductive.

    I fully-admit that some of the replies may not be related to the RFC trace issue that the main message applies to, however, the news article was posted right in the middle of a major backbone outage on the Internet. At this point, we're not sure the root cause of this, and so this seems the appropriate forum to post situation reports and news gathered. Slashdot remains one of the few trustworthy sites to check when things like this happen.

  14. Re:It's lucky that the worm writer by Tassach · · Score: 2, Insightful
    Targetting SQL servers is quite clever, as many of them will be in hosting centres with 34Mbs, burstable to 155Mb (for example).
    Any DBA who lets his database server connect directly to the internet deserves to be drawn and quartered. There's no reason whatsoever for a database server to be talking to the internet; all external SQL requests should be made via a middle tier. You don't run 2 tier client-server apps over the internet without some kind a VPN or some other secure tunnel.

    Likewise, you shouldn't be running a database on the same box as your web server for any kind of serious production system - the web server goes on the DMZ, and the database server goes behind the firewall and only talks to trusted machines. Note that this applies to ANY database server, not just MS-SQL Server.

    --
    Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
  15. Re:CRAP! (If it's not Scottish, it's...) by Zeinfeld · · Score: 2, Insightful
    This report is just nonsense. TRACE causes the web server to send a reply containing a 'body' part consisting of the request headers.

    There can be no security vulnerability in HTTP that is due to cross site scripting PERIOD.

    This is because support scripting was never considered in the design of HTTP. Scripting has known security problems. The onus for solving those problems rested and rests today on the idiots who introduced scripting. It has nothing to do with the protocol layer.

    TRACE was in the HTTP specs long long before Javascript was cobbled together in two weeks at Netscape. Netscape could not even be bothered to ask for advice from the HTTP community before unleashing their abomination, so why is this supposed to be my fault eh?

    Java script sucks, alwasy has always will. It was yet another of those hacks Netscape put in to please the advertisers or whichever customer they were going after that week. As a result we have pop-under adds and sites can screw up the navigation buttons. Oh yes and sites keep coming up 'javascript error class not found'.

    None of the uses javascript is necessary for could not have been better supported through extensions to HTML. But the Netscape guys didn't want to do that because they wanted to try to control the standards by simply throwing whatever crap they wrote over the wall and faxing the 'specification' to W3C to they could say that it had been submitted in their press release.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/