Last night i was developing with ServerXMLHTTP. ServerXMLHTTP is included with the Microsoft XML Parser (MSXML) version 3.0 or later.
Do not confuse ServerXMLHTTP with XMLHTTP, which is designed for client applications and relies on URLMon, which is built upon Microsoft Win32 Internet (WinInet).
The following bug is regarding to ServerXMLHTTP (so also: MSXML 3 – MSXML 4 SP2)
When doing a POST to an URL, and it responses with a "HTTP 303 – See Other" code, ServerXMLHTTP will RE-POST to the given URI.
According to the HTTP specifications it should follow the given URI with a GET request.
This issue is actually a ‘wrong implementation’ by Microsoft.
I see two possible security issues:
- Reposting username/password to another URI (without user’s notice).
- Redirect Looping when the 303 is pointing to the same source (i.e. http://www.abnamro.nl/ does this for Internet Banking). However i saw that after many redirects, the ServerXMLHTTP will exit with a ‘redirect problem’ to avoid buffer overflow and other ‘damage’. I’m note sure if all versions do this.
I reported this problem to Microsoft by phone (0800-MICROSOFT, from the Netherlands) and by E-Mail (firstname.lastname@example.org), both at September, 12th, 2006.