Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site-TRACE

Posted by michael on from the uh-oh dept.

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

3 of 299 comments (clear)

  1. Re:not related by Anonymous Coward · · Score: 1, Offtopic

    Hmmm..My firewall log shows that I'm getting probed on this port (1434) every few seconds from 20 or more different IP addresses...I'm on AT&T's "broadband" network...

  2. the TRACE vuln has nothing to do with it.... by eecue · · Score: 0, Offtopic

    Resent-From: mbac@romulus.netgraft.com From: Michael Bacarella Date: Fri Jan 24, 2003 11:11:41 PM America/Los_Angeles Resent-To: bugtraq@securityfocus.com To: nylug-talk@nylug.org, wwwac@lists.wwwac.org, linux-elitists@zgp.org Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! I'm getting massive packet loss to various points on the globe. I am seeing a lot of these in my tcpdump output on each host. 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0 It looks like there's a worm affecting MS SQL Server which is pingflooding addresses at some random sequence. All admins with access to routers should block port 1434 (ms-sql-m)! Everyone running MS SQL Server shut it the hell down or make sure it can't access the internet proper! I make no guarantees that this information is correct, test it out for yourself! -- Michael Bacarella 24/7 phone: 646 641-8662 Netgraft Corporation http://netgraft.com/ "unique technologies to empower your business" Finger email address for public key. Key fingerprint: C40C CB1E D2F6 7628 6308 F554 7A68 A5CF 0BD8 C055

    --
    -- sigs suck --
  3. Re:relation? by LinuxPunk · · Score: 1, Offtopic

    Hmmm... Over here (canada) the internet seems mostly fine, only a few sites that i've been to are down, including www.distrowatch.com. In fact, im listening to internet radio right now, and there is no lag at all (digitallyimported.com). This seems like it is a mostly UUnet targeted attack.. according to internethealthreport.com...