Richard M. Smith wrote:
Okay it's not a bug, it's a feature. ;-) All I know is that Microsoft and Netscape are going to need to release new versions of XMLHTTP that either disallow the TRACE command altogether or strip cookie values and authen. info from TRACE results. I personally vote for removing TRACE support in XMLHTTP.Richard
Richard, what are you smoking?
Last time I checked, Mozilla does not allow connecting with XMLHTTP to other sites. So removing TRACE method because of other bugs is quite silly.
On page 7 of the original paper is clearly explained that in order this attack to be possible there should be another bug.
Last time I checked, bugs which allow this attack, also allow taking over internet exploder completely. So why don't just download the user's hard drive and sort the cookies from the porn?
Georgi Guninski
http://www.guninski.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
