|| ||John Fremlin <email@example.com>|
|| ||Misleading reporting of TRACE flaw|
|| ||Fri, 07 Feb 2003 03:59:54 +0000|
In http://lwn.net/Articles/21364/ "Cross-site tracing attacks" it says:
The whitepaper is more tempered, but it implies that the TRACE
method has a defect which compromises every web server.
This is misleading. Having read the white paper I cannot see where it
implies or states that.
The information is being leaked from the client. The client wrongly
sends the sensitive information to the server, which is then echoed
back, and this reply containing the sensitive information is wrongly
made available to the untrusted code.
The problem clearly lies with a bug in the ActiveX, etc. objects, not
the server, as the white paper states. It does recommend that TRACE be
disabled to make it impossible for the vulnerability to affect
vulnerable clients, but the problem will not lead to the compromise of
any web server unless it is possible to do that by reading someone's
cookie. Which is very, very doubtful.
Comments (none posted)
Page editor: Jonathan Corbet