W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2003

Vulnerability Note VU#867593

From: Philippe Le Hegaret <plh@w3.org>
Date: 25 Feb 2003 09:34:00 -0500
To: WWW DOM <www-dom@w3.org>
Message-Id: <1046183639.611.216.camel@jfouffa.w3.org>

This vulnerability note is against the HTTP TRACE method but mentions
the "DOM interface" (with an improper link to the W3C site by the way).

Attackers may abuse HTTP TRACE functionality to gain access to
information in HTTP headers that is not otherwise available via the DOM

The DOM interface does not give the ability to do an HTTP TRACE nor the
ability to access information resulting from an HTTP TRACE. The cookie
attribute (as defined in DOM Level 2 HTML) is always attached to a
Document and therefore cannot result from an HTTP TRACE.

In any case, the HTTP TRACE method itself is only returned to the client
client application who has already access to those data.

Received on Tuesday, 25 February 2003 09:34:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:11 UTC