On Sun, September 28, 2008 23:52, Stefan Fritsch wrote: > I don't think is accurate. The browser will happily send the session > cookie unencrypted even if the target webserver gives e.g. a 302 or 404 on > the corresponding http URL. If a proxy is used, the squirrelmail server > doesn't even need to have port 80 open. All an attacker has to do is lure > the victim to a page that has an http link to the squirrelmail server as > an inline image and snoop the http request from the victim's browser.
Hmm, I didn't realise that that would also work. Still, because of the behaviour change I'm not eager to push it in a DSA. Thijs _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
