Er... HTTP doesn't specify a track method, and apache doesn't seem to implement it. What server did you try this with?
It appears to be a Microsoft thing: an unlogged TRACE (why?) http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0321.html http://msdn2.microsoft.com/en-us/library/aa364664.aspx It's only purpose seemed to be to have an unlogged TRACE, and the "unlogged-ness" of it was a problem for server admins. In IIS 6 it's just a TRACE. Looks like recommended practice to block it on the server side: http://msmvps.com/blogs/bernard/archive/2003/12.aspx I guess we should block this one too. Jonas, can we get this into the WebAPI WG XHR spec, or is it too late for that?
(In reply to comment #1) > Er... HTTP doesn't specify a track method, and apache doesn't seem to implement > it. > > What server did you try this with? > Microsoft IIS. I dont believe its enabled by default on IIS 6.0 however earlier versions did enable it by default. http://www.kb.cert.org/vuls/id/288308
Created attachment 265438 [details] [diff] [review] add "track"
If MS has fixed their servers in 2004 and it's non-standard to begin with perhaps we shouldn't bother. On the other hand it's a trivial change to help protect our users from clueless server admins.
10 years ago
Does this bug need to remain security sensitive? The TRACE issue was announced, and the fact that IIS servers implement TRACK is likewise old news.
Comment on attachment 265438 [details] [diff] [review] add "track" I guess since XHR got moved to content I need module-owner/peer approval as well.
Is this exploit public for other browsers? If not we probably don't want to publish it on the webapi mailing list without giving the other vendors an opportunity to release a patched version first
Its been well known for quite a while now. Microsoft created a patch to prevent XHR from using the TRACE and TRACK methods around a year ago for IE6. I have no specific information about Opera.
Comment on attachment 265438 [details] [diff] [review] add "track" approved for 220.127.116.11 and 18.104.22.168, a=dveditz for release-drivers
Fix checked into trunk
Checked into 1.8 branches