Full Disclosure mailing list archives

Re: Netvolution referer header SQL injection vulnerability

From: Dimitris Glynos <dimitris () census gr>
Date: Tue, 04 Oct 2011 02:30:08 +0300

On 10/03/2011 01:47 PM, Dimitris Glynos wrote:

As header field values are normally not included in HTTP transaction
logs, an attack based on this vulnerability may go unnoticed by web
server administrators.


A correction:

Although most header fields are not normally included in HTTP
transaction logs, the referer one usually is. Hence the above
argument holds true only for web servers with minimal logging
setups (e.g. IIS 6.0 using IIS Log File Format).

Cheers,

Dimitris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Netvolution referer header SQL injection vulnerability Dimitris Glynos (Oct 03)
- Re: Netvolution referer header SQL injection vulnerability Dimitris Glynos (Oct 04)