Re: [AOLSERVER] Is Aolserver vulnerable?

Wed, 22 Jan 2003 14:15:39 -0800 

Jade Rubick wrote:


Does Aolserver implement the TRACE command?

http://www.extremetech.com/article2/0,3973,841047,00.asp

Here's what RFC 2616 says about TRACE.  This is just about all it says
about TRACE.  The other mentions are about issues that couldn't cause an
exploit:

http://www.ietf.org/rfc/rfc2616.txt

9.8 TRACE

   The TRACE method is used to invoke a remote, application-layer loop-
   back of the request message. The final recipient of the request
   SHOULD reflect the message received back to the client as the
   entity-body of a 200 (OK) response. The final recipient is either the
   origin server or the first proxy or gateway to receive a Max-Forwards
   value of zero (0) in the request (see section 14.31). A TRACE request
   MUST NOT include an entity.

   TRACE allows the client to see what is being received at the other
   end of the request chain and use that data for testing or diagnostic
   information. The value of the Via header field (section 14.45) is of
   particular interest, since it acts as a trace of the request chain.
   Use of the Max-Forwards header field allows the client to limit the
   length of the request chain, which is useful for testing a chain of
   proxies forwarding messages in an infinite loop.

   If the request is valid, the response SHOULD contain the entire
   request message in the entity-body, with a Content-Type of
   "message/http". Responses to this method MUST NOT be cached.

I am printing out WhiteHat's WhitePaper now (on my own highly patented
WritePaper (TM)):
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf.

But this is exploit is evidently related to cross site scripting.

Anyway, my own initial thoughts are that I am thinking the problem is
not reflecting back the messages, but including all the cookies and
headers in the message.  If so, there is nothing in the RFC that I can
see that suggests an HTTP 1.1 server needs to send anything other than a
200 header.  The VIA header IS an information leak, but if I recall from
the past, lots of actual proxies don't implement that header anyway....
 And it would be a reasonable thing to do to NOT implement it.

If the problem is sending anything at all and not just the headers, well
I confess thinking: Wow.  Cool.  Bad.

Jerry

Reply via email to