|
|
Log in / Subscribe / Register

Letters to the editor

Misleading reporting of TRACE flaw

From:  John Fremlin <john@fremlin.de>
To:  letters@lwn.net
Subject:  Misleading reporting of TRACE flaw
Date:  Fri, 07 Feb 2003 03:59:54 +0000

In http://lwn.net/Articles/21364/ "Cross-site tracing attacks" it says:
 
   The whitepaper is more tempered, but it implies that the TRACE
   method has a defect which compromises every web server.
 
This is misleading. Having read the white paper I cannot see where it
implies or states that.
 
The information is being leaked from the client. The client wrongly
sends the sensitive information to the server, which is then echoed
back, and this reply containing the sensitive information is wrongly
made available to the untrusted code.
 
The problem clearly lies with a bug in the ActiveX, etc. objects, not
the server, as the white paper states. It does recommend that TRACE be
disabled to make it impossible for the vulnerability to affect
vulnerable clients, but the problem will not lead to the compromise of
any web server unless it is possible to do that by reading someone's
cookie. Which is very, very doubtful.
 

Comments (none posted)

Page editor: Jonathan Corbet


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds