I agree. But (as a programmer) would you assume that there can be such
things in the REQUEST_METHOD? The flaw is that Apache accepts anything
after the valid request i.e. GET. There should be an error the the
request was not correct.
Regards Michal.
On 4/24/07, Kradorex Xeron <[EMAIL PROTECTED]> w
Hi.
New info:
alert(document.cookie); /test.php HTTP/1.0
I have no idea why Apache accepts this request but it does :)
Regards Michal.
> On 4/24/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote:
> > This isn't only a problem with that specific variable, it is also a problem
> > with any user-defined
Hi.
I am not a flash expert but you can find many interesting things about
flash and playing with http headers. For instance the case of Expect
XSS Vulnerability. I don't know any way to exploit but If I don't know
it doesn't mean there isn't one :)
Regards Michal.
On 4/24/07, InSiStKool <[EMAIL P
This is a case of poor-programming, on the script coder's part, it is not so
much a vunerability.
That variable only contains what it is sent by apache. it doesn't parse it.
nor is it supposed to. If you want to ensure there is no XSS going on, parse
the variable, escape characters, etc as it I
There exist a flaw in a way how Apache and php combination handle the
$_SERVER array.
If the programmer writes scrip like this:
He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE
and all that stuff. However this is not true, since Apache accepts
requests that look like this:
GE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200704-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:093
http://www.mandriva.com/security/
___
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandriva Linux Security Advisory MDKSA-2007:092
http://www.mandriva.com/security/
___
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200704-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
Foresight Linux Essential Advisory: 2007-0013-1
Published: 2007-04-23
Rating: Moderate
Updated Versions:
xine-lib=/[EMAIL PROTECTED]:devel//[EMAIL PROTECTED]:1-devel//1/1.1.6-1.1-1
group-dist=/[EMAIL PROTECTED]:1-devel//1/1.2.1-0.2-2
References:
https://issues.foresightlinux.org/brow
--On Monday, April 23, 2007 14:08:09 -0400 David Maynor
<[EMAIL PROTECTED]> wrote:
You guys know Ross left eEye weeks ago...
http://blogs.zdnet.com/security/?p=148
I confess. I don't track the careers of CEOs. Sorry.
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The
You guys know Ross left eEye weeks ago...
http://blogs.zdnet.com/security/?p=148
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Schmehl
Sent: Monday, April 23, 2007 12:23 PM
To: full-disclosure
Subject: Re: [Full-disclosure] Apparently eEye's blog go
--On Monday, April 23, 2007 05:00:49 -0400 [EMAIL PROTECTED] wrote:
On Sun, 22 Apr 2007 11:46:41 CDT, Paul Schmehl said:
--On April 22, 2007 10:45:17 AM +0200 poo <[EMAIL PROTECTED]> wrote:
> or maybe ross retard got his login info owned
Why take the whole site down then? All you'd have to
On Mon, Apr 23, 2007 at 10:11:38AM +0200, Ferdinand Klinzer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> But that sound funny levent_ but still you are 31337 hacker
> pz
> :)
>
>
> Am 22.04.2007 um 17:51 schrieb Levent Kayan:
>
> > On Sun, Apr 22, 2007 at 05:41:25PM +0200, Sebas
Background:
3proxy [1] is universal multifunctional free open source proxy server
with multiple protocols supports (HTTP/HTTPS/Ftp over HTTP, POP3, FTP,
SOCKS 4/4.5/5, UDP and TCP portmapping, DNS proxy) with ACL-based access
control, proxy chaining, traffic accounting, bandwidth limi
On Sun, 22 Apr 2007 11:46:41 CDT, Paul Schmehl said:
> --On April 22, 2007 10:45:17 AM +0200 poo <[EMAIL PROTECTED]> wrote:
> > or maybe ross retard got his login info owned
> Why take the whole site down then? All you'd have to do is disable his
> account.
Umm? Maybe for some real *basic* secu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
But that sound funny levent_ but still you are 31337 hacker
pz
:)
Am 22.04.2007 um 17:51 schrieb Levent Kayan:
> On Sun, Apr 22, 2007 at 05:41:25PM +0200, Sebastian Rother wrote:
>> On Sun, 22 Apr 2007 01:32:35 -0400
>> [EMAIL PROTECTED] (Youness Al
17 matches
Mail list logo