Re: Security Hole in HTTP (RFC1945) - Browser-Spoofing

[Szilveszter Adam <adam () hif hu>]

Ron Stiemer wrote:

> Hi List,
>
> can anybody confirm this, or is it just an april's fool joke ?

Yes, I can confirm this. After all, I have been "on air" with such a 
spoofed browser authentication :-) string for years now, making website 
statistcs software cry and webmasters scratch their heads. (FWIW, they 
are probably talking about the User-Agent header) If my UA string is to 
be believed, I have already moved to a 256-bit OS just in case. And yes, 
this was used in the past to get access to websites like the moronic 
"only IE allowed here" that were popular a few years ago.

And yes, heise always puts out a joke article (at least one) on April 
1st along with c't. Sometimes it is rather hard to find it, because the 
contents look plausible enough at first sight and they even spoof 
literature listings for it :-) So watch out today.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html