Stop data retention! Click here & act! Are you a webmaster and want to participate? Here you can find all necessary material for your website - Willst du auch an der Aktion teilnehmen? Hier findest du alle relevanten Infos und Materialien:
Chris Karakas Online Forum Index Karakas Online
 FAQFAQ   Forum SearchForum Search   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
Cross-site tracing attack via HTTP TRACK / TRACE method



 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.
   Chris Karakas Online Forum Index -> PHP-Nuke Forum RSS Feed of this Forum
Share this page: These icons link to social bookmarking sites where readers can share and discover new web pages.Digg  del.icio.us  tc.eserver.org  Blinklist  Furl  Reddit  Blogmarks  Magnolia  Sphere  Yahoo!  Google  Windows Live  Technorati  Blue Dot  Simpy  Newsvine  Stumble Upon  co.mments.com  Blinkbits  BlogMemes  Connotea  View previous topic :: View next topic  
Author Message
chris
Dark Lord of the Sith


Joined: 10 May 2003
Posts: 6267
Location: Outer Space

PostPosted: Tue Jan 06, 2004 2:15 pm    Post subject: Cross-site tracing attack via HTTP TRACK / TRACE method
Reply with quote

A new vulnerability has been found in IIS which allows the reading of cookies. This is potentially possible also on Apache.

From Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method:
Quote:
Open quoteMicrosoft IIS servers support the HTTP TRACK method. The HTTP TRACK method asks a web server to echo the contents of the request back to the client for debugging purposes. The TRACK request is not RFC compliant and not well documented.

The complete request, including HTTP headers, is returned in the entity-body of a TRACK response. This leads to a Cross-site Scripting attack. Using features that provide client-side HTTP protocol support, such as XMLHTTP ActiveX or XMLDOM scripting objects, a web site can cause browsers to issue TRACK requests. The site can read the TRACK response, including sensitive header information such as cookies or authentication data.

Because the TRACK method is similar to the TRACE method, when combined with cross-domain browser vulnerabilities (VU#244729, VU#711843, VU#728563), HTTP TRACK and client-side HTTP support can be leveraged by attackers to read sensitive header information from third-party domains. This technique has been termed "Cross-Site Tracing," or XST, in a report published by WhiteHat Security. As noted in the report, the technique can be used to bypass the HttpOnly cookie attribute introduced in Microsoft Internet Explorer 6.0 SP1. HttpOnly blocks script access to the cookie property (document.cookie), but does not prevent a scripting object from reading the cookie out of an HTTP TRACK response.

IIS 6 is reported to be not vulnerable. Close quote


In the White Paper of WhiteHat Security, this new method of Cross-Site-Scripting is explained in detail. The essence is (setting to bold by me):
Quote:
Open quoteWhiteHat staff discovered a new web security attack technique that is able not only to bypass the httpOnly mechanism present in i.e. 6 service pack 1, but in addition the ability to xss just about anything from just about anywhere. This technique allows client-side scripting languages, such as javascript, and possibly other client-side technologies like vbscript, flash, java, etc., the ability access http web authentication credentials, with the added bonus of achieving this result over ssl. Close quote


Normally, the cookie is sent back to the domain it belongs. But with this TRACE or TRACK HTTP method, it is possible to request a trace and the web server will send back all data, including the cookie! This is especially important for PHP-Nuke, since it relies on cookies for the authentication of its users.

This kind of attack is called Cross-Site-Tracing (XST). All web servers are vulnerable, not only IIS, but also Apache!

To protect yourself, you should deactivate the TRACE HTTP method , if you are using Apache, and the TRACK HTTP method, if you are using IIS:

For Apache, you should put the following in the .htaccess file of your document root (or, for performance reasons, directly in the configuration file of Apache, if you have access to it):

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]


Of course, this assumes that you have mod_rewrite installed.

For IIS, you should filter out the TRACE and TRACK methods with the URLScan filter. The only methods allowed should be GET, HEAD and POST.

You have been warned.
_________________
Regards

Chris Karakas
www.karakas-online.de


Last edited by chris on Tue Apr 20, 2004 4:06 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
rasputinj
Sergeant
Sergeant


Joined: 31 Dec 2003
Posts: 28

PostPosted: Wed Jan 07, 2004 7:03 pm    Post subject:
Reply with quote

Quote:
Open quoteFor Apache, you should put the following in the .htaccess file of your document root (or, for performance reasons, directly in the configuration file of Apache, if you have access to it):

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Close quote


Chris do know how to turn off trace in the config file of Apache I read the article and it did not say and I did a google search and did not come up with anything?
_________________
Rasputinj
Rasputinj.com Deal and Coupon Code Svengali
Back to top
View user's profile Send private message Visit poster's website
chris
Dark Lord of the Sith


Joined: 10 May 2003
Posts: 6267
Location: Outer Space

PostPosted: Wed Jan 07, 2004 9:03 pm    Post subject:
Reply with quote

Put those 3 lines somewhere in your config file. I have them just before the section for the virtual hosts.
_________________
Regards

Chris Karakas
www.karakas-online.de
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Share this page: These icons link to social bookmarking sites where readers can share and discover new web pages.Digg  del.icio.us  tc.eserver.org  Blinklist  Furl  Reddit  Blogmarks  Magnolia  Sphere  Yahoo!  Google  Windows Live  Technorati  Blue Dot  Simpy  Newsvine  Stumble Upon  co.mments.com  Blinkbits  BlogMemes  Connotea 
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.
   Chris Karakas Online Forum Index -> PHP-Nuke Forum
Page 1 of 1
This page contains valid HTML 4.01 Transitional - click here to check it!
This page contains a valid CSS - click here to check it!

 

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group