Edmund Lian wrote: > On 01/03/2003 07:57:08 PM Edmund Lian wrote: > Oh yes, there is another even simpler way to get at a URL-encoded session > ID... the rogue user only has to post an image with a href pointing back to > their computer. This way, a victim doesn't even have to click on a URL to > be exposed, he/she only has to view a message with the externally-sourced > image.
Ah. I've now been enlightened. :) Thank you, Edmund, Stuart, and Tavis. The referer header is something which I certainly need to watch for. Sites I develop are more usually shopping cart or product sites than community sites, so I hadn't encountered that possibility. -- Randall Randall <[EMAIL PROTECTED]> "[The] poetic justice of cause and effect compels respect, compassion." -- Faithless, God is a DJ. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
