Last Comment Bug 381264 - XHR TRACK method (IIS) could be used to compromise Authorization and Cookie headers
: XHR TRACK method (IIS) could be used to compromise Authorization and Cookie h...
Status: RESOLVED FIXED
[sg:low]
: fixed1.8.0.13, fixed1.8.1.5, privacy
Product: Core
Classification: Components
Component: XML (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
: Ashish Bhatt
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-19 09:12 PDT by Brandon Eisenmann
Modified: 2007-08-24 17:35 PDT (History)
6 users (show)
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
dveditz: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
add "track" (887 bytes, patch)
2007-05-20 11:16 PDT, Daniel Veditz [:dveditz]
cbiesinger: review+
jonas: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Review

Description Brandon Eisenmann 2007-05-19 09:12:32 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

Firefox still allows XMLHTTP to use the TRACK method.  This vulnerability can be used almost exactly as Bug 302489 by attackers and will reveal HTTP Authorization and Cookie headers.  The code to reproduce only differs with the HTTP method used.



Reproducible: Always

Steps to Reproduce:
1. Have the following code execute on a page served from a server that supports the TRACE Method

xmlhttp = new XMLHttpRequest();
 xmlhttp.open("TRACK", "a.html");
 xmlhttp.setRequestHeader("Max-Forwards", "0");
 xmlhttp.onreadystatechange=function() {
 if (xmlhttp.readyState==4) {
  alert("Status: " + xmlhttp.status + "\n" + xmlhttp.responseText)
 }
 }
 xmlhttp.send(null)
}
Actual Results:  
The server will respond with an echo of the response readable by javascript in the responseText including Cookies and HTTP Auth.  This would aldo bypass the httpOnly cookie flag.


Apply the following patch to nsXMLHttpRequest.cpp

915a916,920
>
>   // Disallow HTTP/1.1 TRACK method (see bug XXXXXX).
>   if (method.LowerCaseEqualsASCII("track")) {
>     return NS_ERROR_INVALID_ARG;
>   }
Comment 1 Christian :Biesinger (don't email me, ping me on IRC) 2007-05-19 10:14:42 PDT
Er... HTTP doesn't specify a track method, and apache doesn't seem to implement it.

What server did you try this with?
Comment 2 Daniel Veditz [:dveditz] 2007-05-20 11:00:55 PDT
It appears to be a Microsoft thing: an unlogged TRACE (why?)
http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0321.html
http://msdn2.microsoft.com/en-us/library/aa364664.aspx

It's only purpose seemed to be to have an unlogged TRACE, and the "unlogged-ness" of it was a problem for server admins. In IIS 6 it's just a TRACE. Looks like recommended practice to block it on the server side:

http://msmvps.com/blogs/bernard/archive/2003/12.aspx

I guess we should block this one too. Jonas, can we get this into the WebAPI WG XHR spec, or is it too late for that?
Comment 3 Brandon Eisenmann 2007-05-20 11:07:01 PDT
(In reply to comment #1)
> Er... HTTP doesn't specify a track method, and apache doesn't seem to implement
> it.
> 
> What server did you try this with?
> 

Microsoft IIS. I dont believe its enabled by default on IIS 6.0 however earlier versions did enable it by default. http://www.kb.cert.org/vuls/id/288308
Comment 4 Daniel Veditz [:dveditz] 2007-05-20 11:16:18 PDT
Created attachment 265438 [details] [diff] [review]
add "track"
Comment 5 Daniel Veditz [:dveditz] 2007-05-20 11:21:55 PDT
If MS has fixed their servers in 2004 and it's non-standard to begin with perhaps we shouldn't bother. On the other hand it's a trivial change to help protect our users from clueless server admins.
Comment 6 Daniel Veditz [:dveditz] 2007-05-20 11:36:50 PDT
Does this bug need to remain security sensitive? The TRACE issue was announced, and the fact that IIS servers implement TRACK is likewise old news.
Comment 7 Daniel Veditz [:dveditz] 2007-05-20 11:39:01 PDT
Comment on attachment 265438 [details] [diff] [review]
add "track"

I guess since XHR got moved to content I need module-owner/peer approval as well.
Comment 8 Jonas Sicking (:sicking) PTO Until July 5th 2007-05-20 16:12:00 PDT
Is this exploit public for other browsers? If not we probably don't want to publish it on the webapi mailing list without giving the other vendors an opportunity to release a patched version first
Comment 9 Brandon Eisenmann 2007-05-20 18:36:53 PDT
Its been well known for quite a while now.  Microsoft created a patch to prevent XHR from using the TRACE and TRACK methods around a year ago for IE6.  I have no specific information about Opera.
Comment 10 Daniel Veditz [:dveditz] 2007-06-22 11:15:37 PDT
Comment on attachment 265438 [details] [diff] [review]
add "track"

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Comment 11 Daniel Veditz [:dveditz] 2007-06-26 02:28:53 PDT
Fix checked into trunk
Comment 12 Daniel Veditz [:dveditz] 2007-07-03 17:42:50 PDT
Checked into 1.8 branches

Note You need to log in before you can comment on or make changes to this bug.