Okay it's not a bug, it's a feature. ;-) All I know is that Microsoft and Netscape are going to need to release new versions of XMLHTTP that either disallow the TRACE command altogether or strip cookie values and authen. info from TRACE results. I personally vote for removing TRACE support in XMLHTTP.
Richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Thor Larholm Sent: Thursday, January 23, 2003 4:33 AM To: Richard M. Smith; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: TRACE used to increase the dangerous of XSS. This is not a bug in IE or XMLHTTP, and the cookie is not returned as part of the HTTP response headers. It is returned as part of the HTTP response body, which is exactly how TRACE works. Manipulating the HTTP response body returned is the last thing XMLHTTP would, or should, do. IE is not the only browser that has XMLHTTP, Mozilla implemented a fullyworking copy with the exact same behavior. Neither remove any Set-Cookie HTTP headers from the response exposed to scripting. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html -----Original Message----- From: Richard M. Smith [mailto:[EMAIL PROTECTED]] Sent: 22. januar 2003 23:35 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: TRACE used to increase the dangerous of XSS. Isn't this a bug in Internet Explorer? Shouldn't the Microsoft XMLHTTP ActiveX control be removing cookies from returned HTTP headers when a HTTP TRACE is done? I know that this already happens when a GET or a POST is done with XMLHTTP. Richard M. Smith http://www.ComputerBytesMan.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
