Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Site-TRACE

Posted by michael on from the uh-oh dept.

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

11 of 299 comments (clear)

  1. BoingBoing is amazing by TerryAtWork · · Score: 5, Interesting

    When this was a physical magazine, it was one of the most fun, intelligent and readable cyber magazines ever. I bought my copies at the short lived Binary Cafe in Toronto (three computers on dialup to the net...) - and now I can't find them.

    Kind of like Mondo 2000, Wired and National Lampoon (jeez - anyone here remember when those were good?) all rolled into one. Now it's a web site and a HECK of a mail list.

    Highly recommended and I'm looking forward to DLing the book. (As soon as the /. effect ends.)

    --
    It's Christmas everyday with BitTorrent.
  2. Re:why would i buy? by Erasmus+Darwin · · Score: 5, Insightful
    "why would i go buy the book, when i just downloaded the pdf for free?"

    For the same reason that you'd go see a concert of a band that allows you to trade bootlegs of their concerts. The content may be the same, but the presentation of the for-pay version is in a format that is usually considered more desirable.

  3. Re:Most science fiction by schlach · · Score: 5, Insightful
    I can't figure out why the reaction to the 0wNz0red story in August was so bad on slashdot. I thought it was a very entertaining, enjoyable, and thought-provoking read, in the grande style of good science fiction.

    I think most of it was a reaction to the language, which strikes me as bizarre. This is how we think! Maybe shutter-geeks are intolerant of words coined after 1960, but I hate to tell you folks, look how many pieces of language we owe to Gibson's contribution.

    Check out Tales for the 1337 presents: Romeo & Juliet". That's funny shit, because of the way it illustrates how language is changing with the kids. Before you dismiss them as punks, remember that in ten years they'll be dismissing us as foges.

    It's always been the case that language is purely the spoken word, and that writing is only linguistically interesting in the sense that it helps us track the progress of language. That's not exactly what I mean, but close enough. Anyway, what's come to be known as '1337' (but I'll generalize as "chat colloquialisms" b/c ppl ph34r th4t w0rd) is the first time that writing is dictating language. kewl.

    When you find yourself saying - outloud - "bbl", or "brb", or "haxor, fuxor, suxor", or "warez, filez, skillz" in 'real life', you know you're part of the change. Hell, when I say "owned" wrt computer security, I know it's spelled with a zero. Writing is leading language in this case, unlike others, because within this particular group of people, writing has become the dominant communication medium. Otherwise, it would follow the same slang-path that you are probably more familiar with, like "cool", "sweet", "rock", etc, which progresses from within spoken circles to the dictionary in an orderly fashion.

    Quoth sirinek,
    I'd like to thank the submitter of the story for calling it a "weblog" instead of some lame-ass made-up-for-the-sake-of-making-a-name-up name like a "blog" or a "wiki". :)

    I'm sure I'm not alone in my praise :)

    He's right, he's not alone. But I'm not with him. I have a blog. I blog things on my blog. This comment will probably be blogged in some shape or form. And I'm thinking about starting a wiki for a different project. 'Wiki' is the only word there is for a wiki. The only way I can think of to avoid using it is to not think about the idea that 'wiki' represents ... which just seems faulty.

    Interrobang,
    It's nice to see someone play with language, and it's nice to see someone who apparently knows a little bit of something (instead of a whole lot of nothing) about computers writing speculative fiction, for a change. Or don't you guys get a little bit annoyed about totally impossible (instead of wildly improbable) computers (and/or technology) in speculative fiction?

    Aren't we progressive? Aren't we adaptive? I've got a lot of hope riding on this generation of geeks, to look forward to the future, optimizing the world, if you will... I shudder to think that, underneath it all, we geeks think that our own language and the way we think should be constant and unchanging throughout our (adult) lives...
  4. not related by benh57 · · Score: 5, Informative
    This vulerability is about sites getting access to other sites' cookies.

    It is not likely to be related to the current DDOS, which seems to be this MS vuln.

  5. The write-up is misleading by Admiral+Burrito · · Score: 5, Informative
    When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts.

    The script is not executed on the server. It is executed on the client.

    This is a sort of cross-site scripting vulnerability, not an "execute arbitrary commands on any web server" vulnerability like the writeup suggests.

  6. /!\ Security Alert _ [] [X] by Seehund · · Score: 5, Funny

    Your Computer Is Currently Broadcasting An
    Internet IP Address. With This Address, Someone Can
    Immediately Begin Attacking Your Computer! [ OK ]

    Shut up Slashdot. I get all the Security Alerts I need from media*.fastclick.net.

    --
    Help savingAmigaOS and a free PowerPC market
  7. This story is crap by evilviper · · Score: 5, Informative

    This story is utter alarmist crap. There is nothing wrong with TRACE, and the internet is not falling apart. It's just another IE cross-site scripting vulnerability. Here's a few choice links from the discussion on bugtraq:

    http://online.securityfocus.com/archive/1/307778/2 003-01-22/2003-01-28/0
    http://online.securityfocus.com/archive/1/308165/2 003-01-22/2003-01-28/0

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  8. THE XSL VULNERABILITY IS SNAKE OIL by defile · · Score: 5, Informative

    If your applications aren't vulnerable to XSS, you have nothing to worry about w.r.t. HTTP TRACE. If your applications ARE vulnerable to XSS, you have bigger problems than HTTP TRACE.

    If users visiting other sites somehow have untrusted code running in them, which performs an HTTP TRACE to your site, the user's browser is broken for not enforcing domain restrictions.

    Ignore this advisory, it's sensationalist snakeoil. Leaving HTTP TRACE enabled is harmless (although you probably don't use it, so disable it anyway).

  9. A couple choice quotes from the "whitepaper" by jeremie · · Score: 5, Insightful
    Typical Sky-Is-Falling (tm) propoganda, this is so 90's:

    "Scenarios assume the following:
    A user visits a malicious web site or views malicious content hosted by a trusted source (message board, web mail, etc..)"

    "To resolve this limitation, we had to utilize extended client-side scripting technologies to create and send a specially formatted HTTP request to a target web server." (this must pass through the web browser which must foolishly attach authentication cookies in question (which properly implemented secure systems don't rely on anyway))

    "To restate, all the sensitive information is still accessible even over an SSL link." (what the hell? it's just the friggin headers! cookies and weak basic auth (they didn't even show and I'm not convinced the (broken) browsers send the auth headers in such forged requests)

    "There is however at this point a limiting factor preventing wider a danger escalation. The TRACE connection made by the browser, will NOT be allowed by the browser, to connect to anything other than the domain hosting the actual script content... To increase the exposure of the exploit, we are in need of a domain-restriction-bypass vulnerability" (MAKE THIS CLEAR, IT ONLY WORKS IN A CROSS-SITE SCRIPTING VULNERABLE BROWSER)


    To re-iterate: your web server or site isn't vulnerable because it supports trace, that's about as silly as blaming ping packets for the ping-of-death problems on early windoze systems, sheesh.

    This is all a bunch of crap that requires a browser to be vulnerable to cross scripting, and for the user to have visited a malicious site just beforehand.
  10. Read BugTraq by Goodbyte · · Score: 5, Informative

    As been discussed on BugTraq the latest days, this is not a 'general' vunerablility, rather a bug in Microsoft's XMLHTTP component (nomatter what the whitepaper says).

    References: RE: TRACE used to increase the dangerous of XSS.
    Original posting to Bugtraq

  11. Re:relation? by amigaluvr · · Score: 5, Funny

    hrm kevin mitnick is allowed back o the net and the net goes fubar

    hrmmmmmmmmmmmmmmm????