New web vulnerability, says Irish security firm


27 Jan 2003

Zerflow, an Irish-based IT security firm, claims to have uncovered a serious vulnerability that could have major implications for internet users.

Engineers at the firm uncovered the fault. Trace, a rarely-used portion of the Http protocol that is enabled by default on all major web servers, could be used to compromise sensitive information such as usernames and passwords on everything from web-based email systems to online banks.

Aside from uncovering this major vulnerability, the exploit also has the potential to negate measures already put in place by administrators to protect their web applications, claims Colin English, Zerflow’s chief security engineer. It does this by re-enabling cookie reading from client-side scripts, despite the fact that steps may already have been taken to accommodate this flaw, he adds.

“Cross-site scripting vulnerabilities that allow hackers to access private information contained in secure cookies and which had previously been mitigated are now revived,” according to English. “This cross-site tracing vulnerability could be used in conjunction with current exploits to bypass domain restriction security policies and broaden the scope of the exploit. This exploit is browser-independent and would be best mitigated on web servers rather than clients by disabling the trace method,” he adds.

“Companies are definitely not going to publicly admit it, but it does exist and nobody has come out and said they have been hit with it. They have kept it well under wraps. It is a big issue because cookie data is no longer secure if a web server supports this Trace method. It should be removed on all the web servers, definitely,” he concludes.

By Lisa Deeney