-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
>> The 2005 text does briefly mention "Accessing content / web-scanning"
>> (take a look at Notes 1-3).
>>
>> So the problem is much older.
Well, that's Micro$loth for ya.
Amit Klein wrote:
> Michal Zalewski wrote:
>> On Sat, 3 Feb 2007, Michal Zal
Michal Zalewski wrote:
> On Sat, 3 Feb 2007, Michal Zalewski wrote:
>
>
>> xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n";, "x",true);
>>
>
> Funny enough, Paul Szabo was quick to point out that Amit Klein found the
> same vector that I used here for client-side backdoors in May 2
Yes this is bad!
On 2/3/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Sat, 3 Feb 2007, Michal Zalewski wrote:
> xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n";, "x",true);
Funny enough, Paul Szabo was quick to point out that Amit Klein found the
same vector that I used here for
On Sun, 4 Feb 2007, Tyop? wrote:
>> This is getting depressing. May 2006.
> but not really surprising, yes?
No, though this bug is truly remarkable in that a quick fix, I'm quite
certain, amounts to changing "!= ' '" to "> ' '" in the code.
That's two characters, and no chance for a negative imp
On 2/3/07, Michal Zalewski <[EMAIL PROTECTED]> wrote:
> On Sat, 3 Feb 2007, Michal Zalewski wrote:
>> xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n";, "x",true);
> Funny enough, Paul Szabo was quick to point out that Amit Klein found the
> same vector that I used here for client-side back
On Sat, 3 Feb 2007, Michal Zalewski wrote:
> xmlhttp.open("GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n";, "x",true);
Funny enough, Paul Szabo was quick to point out that Amit Klein found the
same vector that I used here for client-side backdoors in May 2006 (still
not patched?! *shrieks in horror*)
As you probably know, the famous "web 2.0" XMLHttpRequest object allows
client-side web scripts to send nearly arbitrary HTTP requests, and then
freely analyze and manipulate the returned response, including HTTP
headers.
This gives an unprecedented level of control over your browser to the
author