- From: Philippe Le Hegaret <plh@w3.org>
- Date: 25 Feb 2003 09:34:00 -0500
- To: WWW DOM <www-dom@w3.org>
This vulnerability note is against the HTTP TRACE method but mentions the "DOM interface" (with an improper link to the W3C site by the way). [[ Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers that is not otherwise available via the DOM interface. ]] http://www.kb.cert.org/vuls/id/867593 The DOM interface does not give the ability to do an HTTP TRACE nor the ability to access information resulting from an HTTP TRACE. The cookie attribute (as defined in DOM Level 2 HTML) is always attached to a Document and therefore cannot result from an HTTP TRACE. In any case, the HTTP TRACE method itself is only returned to the client client application who has already access to those data. Philippe
Received on Tuesday, 25 February 2003 09:34:01 UTC